Rudy’s Corrupted Devices

In a remarkable set of filings, Robert Costello — Rudy Giuliani’s defense attorney and a key player in the effort to package up a doctored laptop and pitch it as Hunter Biden’s — has provided an explanation for why his client wasn’t charged for doing the bidding of Russian-backed Ukrainians without registering as a foreign agent: Because many of the devices seized on April 28, 2021 were “corrupted” (his word).

Here are the filings:

  • Joe Sibley’s response to Ruby Freeman’s motion for sanctions
  • Robert Costello’s declaration purporting to describe the Special Master process in Rudy’s Ukraine influence-peddling case
  • A nolo contendere declaration from Rudy stipulating that he will not contest that he made the defamatory statements about Ruby Freeman and Shaye Moss or that the statements were false, but preserving his ability to argue the statements were opinion or otherwise protected speech

No contest that Rudy lied

The last of these, Rudy’s nolo contendere declaration, may be an attempt to put all these discovery disputes behind him by simply stipulating that the information he would have turned over had he complied with discovery would show that he made the defamatory claims about Freeman and Moss and there was no basis for them. His stipulation is limited to this case, so could not be used in an 18 USC 241 case against him.

Rudy is attempting to stop digging himself deeper in a hole.

Let’s see where we might go if we dig further, shall we?

Costello blames the government contractor for “corrupting” Rudy’s devices

Costello’s declaration claims that he encountered numerous technical problems with the data on the devices, and attributes those problems to the government’s vendor. Based on having blamed the government’s discovery vendor for any technical problems, he claims it is impossible for Rudy to have spoiled any of the materials on the phones.

In reviewing the materials, I encountered numerous non-user generated files and what I referred to as computer gibberish. In addition, there were many emails that contained the header with the sender and recipient addresses, but no text in the body of the email. With respect to this material, in September and October of 2021, I made inquiries of the Special Master’s electronic discovery people, and they informed me that this was exactly how they received the electronic materials. The Special Master’s lawyers informed me that they had made similar inquiries to the Government and the Government reported that any errors in the production of the electronic data, would have occurred when PAE, the Government vendor, performed their extraction procedure. I have attached some of the contemporaneous communications with the Special Master’s office in September and October of 2021. See Exhibit C attached.

As a result of that information, you can see that the allegations made by Mr. Gottlieb are false and not based upon any factual material. Mr. Giuliani has not spoliated any electronic evidence. What has been produced is what Mr. Giuliani received from the United States Government. Mr. Giuliani has never possessed the electronic materials since they were seized in April 2021. It was, and is, physically impossible for Mr. Giuliani to have spoliated any of this evidence as Mr. Gottlieb claims. [my emphasis]

Later, Costello outright claims that the government “had apparently corrupted some of the files as they were extracting the data,” and then wiped them.

There was no way for Mr. Giuliani or I, to know that the Government had apparently corrupted some of the files as they were extracting the data. Likewise, there was no way for Mr. Giuliani or I, to know, [sic] that when the devices were returned by the FBI, AFTER they concluded there would be no charges forthcoming, that the actual devices would be wiped clean. [my emphasis]

That, Costello claims, is proof that Rudy couldn’t have destroyed any electronic evidence.

In short, there is simply no factual basis for Mr. Gottlieb’s allegations of spoliation. It was physically impossible for Rudy Giuliani to do what Mr. Gottlieb swears to.

Except that’s not clear at all. That’s true because Costello’s own evidence doesn’t support his claim that the government attributed all of this to the vendor. That leaves the possibility that Rudy spoiled the evidence before SDNY seized his phones. If so, Costello’s claim that Rudy couldn’t have spoiled the evidence after Ruby Freeman’s lawsuit, in December 2021, is true, but it doesn’t rule out Rudy or someone else — perhaps his Russian spy friends — spoiling evidence before the search in April 2021, at which point he was already lawyered up for at least the Smartmatic suit.

Costello misrepresents review scope

Before I show that Costello’s own evidence about the evidentiary problems doesn’t support his claims, let me demonstrate something more basic.

Costello repeatedly claims (and Sibley repeats) that the government reviewed 26 years of electronic evidence. It’s true that there was evidence from 26 years on the devices. But as I’ve explained repeatedly, even the government asked to limit the scope of review to everything after January 1, 2018. And that’s what Judge Paul Oetken approved on September 16, 2021.

An email Costello included with his declaration — directing Rudy what to review next — shows that’s what the scope of the review was.

Costello may have a reason he wants to obscure the scope of the review, which I’ll return to. Or it may be that after discovering the “corruption” on Rudy’s phones, FBI’s technical experts had to look further, using a warrant that is not yet public. But at least given the public record, it is not an honest representation of what was reviewed, as distinct from what was extracted.

The corruption found on Rudy’s phones

Based on Costello’s evidence, there were five different problems found with Rudy’s devices:

  • The dates on emails adopted the date of extraction — July 2021 — as the last modified date
  • Some .jpg files could not be viewed
  • Emails from Rudy’s phone lacked the text of the email
  • There were unreadable files on the larger devices
  • The WhatsApp texts had gotten garbled

Costello includes some cherry-picked emails to substantiate those problems. I’ll put them in order.

The first identified problem was the last-modified date, which Costello wrote someone from Trustpoint to identify on September 15 and which I first noted days later. Costello does not mention whether or how that problem was fixed.

Then, Costello quoted from his own email sent on September 30, which described that everything on seven devices was non-readable non-user created.

The bottom line of which is that there is virtually No User Created Info on the first seven devices. The screen shots of data we observed was non- readable non user created data which is clearly non- responsive and so we shouldn’t raise any objections to it being turned over to the Government.

Additionally we are getting the Special Master to go to the Government and its vendor to see if they can eliminate all of the non- user created data from the 9 remaining devices to make our future work more manageable.

A response from the Special Master on October 1, 2021 describes the problems with those seven devices somewhat differently, this way:

  • .jpg files that cannot be viewed
  • missing email/text body issue
  • unreadable “computer files” on the larger devices

Those devices were reviewed for files through seizure, so they likely had contemporaneous records.

Then, an instruction email from the Special Master team, written on October 15, 2021 — regarding the iPhone from which the bulk of the files were turned over — suggests that on that phone only the missing email/text issue remained. This is one of the only communications that describes something the government represented. And at least per them, it’s not a matter of corruption, it’s a matter of how iPhones work.

It is our expectation that these documents can be reviewed quickly, given that many are very short, and others — as you’ve pointed out previously — contain no “body” text. We have asked the Government why many messages do not contain bodies, and their understanding is that this is the way the iPhone stores backup data.

Then, on October 21, 2021, Costello sent an email noting that the WhatsApp texts were muddled.

Trustpoint reports to us that within the field of approximately 25,000 data items there are approximately 7500 “WhatsApp” entries. The way the Government’s expert presented this evidence almost all the Whats App entries consist of garbled words in English. For example the phrase “In God we trust” would likely appear to us now as “God we trust in”.


Frankly we do not know how to deal with this, and we wanted to alert you to his latest glitch which will be found on more than 25% of the items to be searched.

The Special Master responded the following week that they “hope to have a solution shortly.”

As noted above, the Special Master turned over virtually everything on that phone, so they found a way to deal with the WhatsApp issue.

Given the number of files found on the remaining 8 devices, may well have found the same problem on those devices as they did on the first seven.

In short, at least per the record Costello himself provides, he has no evidence the government attributed any of this to the vendor. Costello claimed that the government had told the Special Master that,

the government reported that any errors in the production of the electronic data, would have occurred when PAE, the Government vendor performed their extraction procedure.

But, unless I’m missing it, he provides no evidence of that.

It appears likely that 15 of 16 devices lacked substantive information, and the only thing he provides an explanation for is that some emails — emails that Rudy would have separate access to — weren’t downloaded onto a backup of his phone.

Costello spins on Rudy’s non-compliance on emails

According to Rudy’s own declaration, he helped Trump plot a coup attempt using three different emails, which other documents (including Costello’s own declaration!) reveal must be:

  • rudolphgiuliani at icloud
  • helen0528 at gmail
  • TruthandJustie4U at proton

Rudy’s own privilege log shows that he retained both the gmail and icloud emails — but for things after January 6 and before the seizure, which in the log are fairly presented as privileged.

Rudy’s own privilege log shows none of the protonmail accounts used, even though Bernie Kerik’s does (more on that later).

That’s why it’s so interesting that Costello attacks rather than addresses why Epshteyn (and Christina Bobb) had responsive records that Rudy didn’t turn over.

In paragraph 5 of Mr. Gottlieb’s affirmation, he states that they obtained a December 13, 2020 email from Defendant Giuliani to Boris Ephsteyn [sic] which ” reiterates Defendant’s false claims about Plaintiffs that: “Georgia has video evidence of 30,000 illegal ballots cast after the observers were removed.”” Note first, that the Plaintiffs in in this case were not mentioned, but further note, that when one reviews the citation for this email (ECF-56-7), there is a later email in that same exhibit from Jason Miller that reports: “Statement on hold until further notice, pending Rudy’s talk with the President.” In the spirit of lack of candor, Mr. Gottlieb failed to mention that email.

Here’s the email in question (which redacts which email it went to, but one Bobb turned over was sent to Rudy’s Gmail). But whichever one it came from, it’s an email that Rudy still had access to in 2021, as evidenced by the exhibits presented in this case.

There seems to be good cause to conclude Rudy deleted the email or refused to look for it.

Costello and Sibley’s exaggeration of the investigative closure

Again, 15 of 16 of these devices had some as yet unexplained data that was not user created. I don’t see where Costello substantiated that the government’s vendor did this. Short of doing that, he can’t rule out that Rudy — or, again, the Russian spies he was cozy with at the time — destroyed the data on the devices.

And that’s why I find it notable how Costello and Sibley misrepresent the nature of DOJ’s notice the grand jury investigation into Rudy’s Ukraine influence peddling had concluded.

At the same time as NY State was asking Barbara Jones to serve as the monitor over Trump Organization’s legal woes with the state, SDNY filed this letter, asking Judge Oetken to terminate the appointment of Jones.

The Government writes to notify the Court that the grand jury investigation that led to the issuance of the above-referenced warrants has concluded, and that based on information currently available to the Government, criminal charges are not forthcoming. Accordingly, the Government respectfully requests that the Court terminate the appointment of the Special Master, the Hon. Barbara S. Jones.

As I noted at the time, Costello ran to the press and claimed this meant Rudy would not be charged.

But Costello never claimed to have received a declination letter. And contemporaneous reporting made clear the case remained open.

We now know why: Instead of whatever prosecutors expected to find on at least 7 of Rudy’s phone, they found non-user generated non-readable files. Maybe their vendor fucked up. Maybe something else happened to the devices. But there was nothing there for them to build their case on.

Which is why Costello’s spin on what happened is so interesting. He faults Ruby Freeman’s lawyer for not mentioning that Rudy wasn’t charged.

In his Affirmation, Mr. Gottlieb referenced a criminal investigation run by the SDNY involving Mr. Giuliani, but conveniently failed to mention that it was resolved in Mr. Giuliani’s favor.


First, let me state that after the Government, be it the FBI or the U. S. Attorney’s Office for the Southern District of New York (“SDNY”) reviewed 26 years’  worth of electronic data, the SDNY, [sic] issued an unusual public statement declaring that it was not charging Mr. Giuliani with any violation of federal law.

But he overstates the filing, which only addresses the grand jury in question. And the only reason the statement was unusual is that it wasn’t a declination letter sent to Costello himself.

Given the revelation that at least 7 and possibly as many as 15 of these devices were — to use Costello’s word — “corrupted,” it makes other details of the Rudy investigation more interesting, including a request, reported in April 2022, for help accessing other phones.

If the vendor didn’t “corrupt” the data on 15 of 16 of Rudy’s devices — and I don’t see where Costello shows they did — I can imagine that the SDNY might pursue how they got corrupted.

And that may be why Rudy is attempting to end any further review of why he can’t even find emails that Boris Epshteyn had access to.

21 replies
  1. Benvindo Soares says:

    Interesting – so the assumption is the Contractor had problematic technique and corrupted evidence ? That seems like a plank you don’t want to tread on in court. Is the Gov’t at this point obligated to explain the — for lack of a better term ” a false positive” ? It seems to me they might be able explain ( in court) the corruption that was picked up – by producing a devcise or another malicious process.

    • N0b0dy1985 says:

      So from what little I understand about forensic investigation of computing devices, the prime directive is always “don’t write anything to the device, only clone (copy) it off, then analyze the copy”… I think the chances that the government vendor made seven to fifteen boo-boos like that is non-existent.

  2. Rugger_9 says:

    Wouldn’t the fact that these devices were corrupted render them useless for prosecution? This makes the rational view of Hunter’s plea deal today much more apt, since it would appear to me that there would have been difficulties for any prosecution that intended to use the devices.

  3. Amicus12 says:

    It is so thoroughly bizarre.

    Although styled “nolo contendre,” I am not aware of the use of such a pleading in civil matters. And while the document refers to stipulations, it’s not that either. Stipulations of fact are agreements between the parties, not one party’s unilateral determinations as to the contours of the litigation. They are also agreements signed by counsel – not the parties themselves.

    And to the extent the document is an admission, it’s highly equivocal. “[T]o the extent the statements were statements of fact and otherwise actionable,” then Defendant Giuliani writing in the third person agrees that they are defamatory.

    It’s an exercise in self-help, designed as discussed in the post, to foreclose discovery and/or sanctions.

    While the distinction between fact and opinion is an objective standard, I would think that discovery can bear on the relevant issue of whether the defendant understood the statements to be statements of facts and intended to represent them as statements facts, as well as whether he intended to represent them as false statements of facts or was recklessly indifferent to their truth or falsity.

    I suspect the Court and the Plaintiffs are going to have a great deal to say about all this, and I would be surprised if this stunt works to Giuliani’s benefit.

    • emptywheel says:

      I agree. I’m working on a post showing that Rudy claimed privilege over ~350 messages that he already conceded were not privileged.

  4. ShallMustMay08 says:

    Whew … so Rudy’s devices were “corrupted” by 3rd party (but no evidence supporting) and yet the dead HB “laptop” was recovered perfectly. Huh. What a position these folks take. Press too.

    As a side – reading the judges order yesterday for todays hearing (concerning filings to be sealed), I find really troubling. Quick to blame defense team and ridiculous to think for a second that social security and tax information exposed on public docket needs an explanation to seal. Wild.

  5. wasD4v1d says:

    In my own tech work, I always do rescue extractions from an image of the device or a clone of the data set. Wouldn’t a security agency or contractor do the same? Or can this kind of work only be done on the source device?

    • RipNoLonger says:

      That would be my understanding also – you do the forensics on a copy of the media that has been extracted from the device (phone, tablet, laptop, etc.) The caveat would be if the device was perhaps encrypted/password-protected via the BIOS or other device-resident storage.

    • Tech Support says:

      Bingo. (Noted above as well.)

      It makes me wonder if there is the potential for the digital equivalent of an arson investigation here, to determine specifically how the devices contents were damaged and whether you could make an entirely separate case around that.

    • jdmckay8 says:

      I think use of the word “forensic” has been denigrated to the point of meaninglessness. Nothing in this post or anything else I’ve read approaches forensics on those devices.

      Same thing on all public data from Hunter’s Mac. Marcy wrote a lot about this last week: to get forensic results answering riddles of what files were toyed with is physically impossible without spinning up Hunter’s Mac disk. This would include attempting to recover deleted/over written files of interest.

      You can’t get any of this from an image.

      I don’t believe for a minute FBI “damaged” anything on Rudy’s devices. They do a ton of this. Its a pretty simple, straightforward process.

      I also wonder why FBI is even doing this. There was an article (I just don’t recall where) I read maybe a year ago, describing generally the Fed’s resources for this kind of work (forensics). It said FBI & DOD had minimal capabilities, but another agency had the best lab in the world and that is where high priority stuff went. I just don’t remember which agency this was (slaps forehead).

      WRT Rudy’s devices, a subpoena to APPLE for his iCloud backups should be done as well. Who knows, maybe they’ve done this and holding it close to the vest for more serious prosecutions as yet unknown to us. I’m sure Marcy will get to the bottom of it. :)

      • BirdGardener says:

        I was (wildly) guessing Homeland Security, but google also suggests the Secret Service:

        What US government agencies deal with computer forensics?

        U.S. Secret Service

        The Secret Service also runs the National Computer Forensic Institute, which provides law enforcement officers, prosecutors, and judges with cyber training and information to combat cyber crime.

        Does that ring a bell?

          • Ravenous hoarde says:

            I too learned that factoid recently with their text message debacle.

            Felt like it added insult to injury that supposedly the agency that’d be best at recovering deleted texts is also the agency that inexplicably irretrievably deleted a bunch after lawsuits and records requests had begun.

            I was not amused when reading that.

          • P J Evans says:

            Originally part of Treasury (because chasing counterfeiters). Like the Coast Guard was in Commerce (rum-runners and other smugglers).

  6. Henry the Horse says:

    This will be whatabout Hillary’d to death. I could write the talking points right now.

    On a more serious note 3 cheers for EmptyWheel!!! To show my appreciation, I shall now perform the waltz…Mr. Kite, the calliope please.

  7. Operandi says:

    Rudy’s story that the government took all his devices, gave him a bunch of junk data files via ediscovery, and then returned his phones wiped, is built of details he should’ve known for more than a year now. Its seems like maybe info he should’ve lead with when his texts were initially requested in discovery. Instead he jerked Moss and Freeman around for months until finally coughing up this “doj spoiled my phones” excuse in the 11th hour.

    It’s no wonder he’s trying to tap out. Quite the hole he’s dug himself.

    • timbozone says:

      Exactly. Apparently, “I’m so broke!” Rudy felt it best to keep paying his lawyer to hold off on submitting any of this to the the court for months and months…

Comments are closed.