The following is an extract of the report submitted by PriceWaterhouseCoopers to the Premier of the Western Cape, Helen Zille, on April 19 2010 concerning their investigation into the validity of the email allegedly sent by MP du Plessis to Anton Bredell on March 8 2010:

DEPARTMENT OF THE PREMIER FINAL REPORT

THE ALLEGED EMAIL, INTERVIEWS WITH MESSRS DU PLESSIS AND BREDELL AND OTHER ENQUIRIES

Background

301 On 7 April 2010, the South African media (e.g. News24com etc.) published reports about a document, purported to be an email ("the Alleged Email"), which was allegedly sent by Mr Du Plessis to Mr Bredell containing derogatory language. News24.com reported that the Alleged Email was released to the media on 7 April 2010.

The Alleged Email

302 Mr Thomopoulos provided us with two copies of the Alleged Email which are attached as Annexure 1. The first copy contains a handwritten comment: "For the attention of Mr Du Plessis" and the Municipality's fax number "021 808 8026" whilst the second copy of the

Alleged Email does not contain any handwritten notes.

303 The Alleged Email has the following visible characteristics

• The "From" view reflects the alleged sender as: "Municipal Manager" with no sending email address reflected on the document;
• The "To" view reflects the alleged recipient as "Anton Bredell" with no receiving email address reflected on the document;
• The "Date" view reflects the alleged date the Alleged Email was sent / received as: "2010/03108 13:24:36 PM";
• The "Subject" view reflects: "Stellenbosch terugvoer" as the subject of the Alleged Email;
• The signature I signoff of the Alleged Email is in a mixture of English and Afrikaans and reflects the following:

"Mr MP Du Plessis
Acting Municipal Manager
Stellenbosch Municipality
Tel: +2721 808-8025
Faks: +2721 808-8026
Epos: [email protected]

Interview with Mr Du Plessis

304 We conducted an interview with Mr Du Plessis who informed us as follows:

Appointment as Acting Municipal Manager

305 He was appointed on contract at the Department of the Premier (PGWC) in June 2009. Following the DA Alliance's takeover of the Stellenbosch Municipality's Council, Mr Du Plessis was seconded from PGWC to the Municipality as Acting Municipal Manager from 14 December 2009.

306 He denied having sent the Alleged Email.

Computer equipment and email addresses used by Mr Du Plessis

307 Following Mr Du Plessis' appointment as Acting Municipal Manager, he used a laptop of his predecessor Municipal Manager and the Municipality's IT department set up an email address for him: [email protected]

308 Mr Cilliers was seconded from PGWC as Acting Legal Advisor to the Municipality during the same time as Mr Du Plessis' secondment to the Municipality. Mr Cilliers used a laptop which was issued by PGWC. Following the theft of Mr Cilliers' PGWC laptop (Mr Du Plessis could not recall the exact date), Mr Du Plessis made the abovementioned laptop computer of the Municipality with the proxy email address [email protected] available to Mr Cilliers for his sole use.

309 Mr Cilliers informed us that his PGWC laptop was stolen around 26 January 2010 and he started using the abovementioned laptop shortly thereafter.

310 Following the abovementioned theft of Mr Cilliers' computer, Mr Du Plessis only used the laptop computer which was provided to him by PGWC and only sent email correspondence from his PGWC email address which is: [email protected]. He cannot access the Municipality's network and email server with this laptop.

311 Mr Du Plessis informed us that he also has a private email address through Absamail.

312 The only two individuals who have had access to and who actively send, receive and monitor emails in the Munmanager address are Ms Basson and Ms Rooifontein (see Section IV below for a review of the proxy access to this email address).

Receipt of the Alleged Email

313 The first time he became aware of the Alleged Email was when he was contacted by Mr Bredell on Tuesday 6 April 2010. Mr Bredell informed him that the Cape Argus newspaper delivered a document to him (Mr Bredell) which is alleged to be an email sent by Mr Du Plessis to Mr Bredell. Mr Bredell asked him whether he was aware of the alleged email.

314 He contacted the Cape Argus newspaper and an individual referred to as "Andisiwe" (who appears to be Andisiwe Makinana, a political writer of the newspaper1) faxed a copy of the Alleged Email to him. Mr Du Plessis provided this fax to us (attached as Annexure 2).

315 After becoming aware of the Alleged Email, he contacted Mr Muller and instructed him to review the Munmanager address on the computers of Ms Basson and Ms Rooifontein and also on the mail server of the Municipality. According to Mr Du Plessis, the Alleged Email could not be found on any of these devices. This was confirmed to us by Mr Muller.

Factual inaccuracies in the Alleged Email

316 Mr Du Plessis identified the following factual inaccuracies in respect of references to himself which were made in the alleged Email:

317 The Alleged Email records: "Welgedaan, Hartenbos was ‘n soet ooiwinning en dit was goed om weer gesellig fe verkeer". This implies that Mr Du Plessis attended the DAs conference which was held in Hartenbos from 5 to 7 March 2010, where he allegedly interacted socially with Mr Bredell.

318 Mr Du Plessis informed us that he did not attend the DAs Hartenbos conference and did not interact socially with Mr Bredell as is implied in the Alleged Email. According to Mr Du Plessis, he can recall that he visited his children in Brackenfell over the weekend of 5 March 2010 to 7 March 2010.

319 Furthermore, the Alleged Email records: "...ons is besig om daaraan te werk en sien vir Patricia in hierdie verband moreaand. According to Mr Du Plessis, the Alleged Email implies that he knew Ms Patricia de Lille, the leader of the Independent Democrats. Mr Du Plessis informed us that he has never met, spoken to or inter-acted with Ms De Lille.

Mr Du Plessis' movements on 8 March 2010

320 As mentioned above, the "Date" view of the Alleged Email reflects the alleged date the email was sent or received as: ‘2010/03/08 13:24:36 PM", i.e. Monday 8 March 2010 at 13h24.
321 Mr Du Plessis informed us that he was at the Municipality on the morning of
8 March 2010, but left early for his offices in Wale Street to, amongst other things, prepare for a meeting which he had to attend at Dorp Street, Cape Town at 15h30 that afternoon.
322 Refer below for details of our enquiries relating to the access logs of the Municipality's office building and the PGWC buildings at no 7 and no 15 Wale Street.

Interview with Mr Bredell

323 We conducted an interview with Mr Bredell, who was accompanied by Mr Du Randt and Ms Griesel. Mr Bredell informed us as follows:

324 The first time he became aware of the Alleged Email was on Tuesday 6 April 2010 when the Cape Argus faxed a copy of the document to his Media Officer, Mr Heinie Odendaal. He provided us with a copy of the fax (attached as Annexure 3).

325 He instructed the IT department of the Department of the Premier to ascertain whether such an email was actually received, but they did not find the Alleged Email on PGWC's server.

326 He denied ever having received the Alleged Email (i.e. electronically by email) and both Mr Du Randt and Ms Griesel denied the same.

327 Ms Griesel informed us that Mr Bredell and his office have two email addresses at PGWC in which emails can be received:

• The email address: [email protected], which is an office email address. This address is reflected on Mr Bredell's business card; and

• The email address: [email protected] which is an email address to which only Mr Bredell has access.

328 Furthermore, Ms Griesel and Mr Du Randt also have their own email addresses which are: [email protected] and [email protected].

329 Mr Bredell informed us that Mr Du Plessis, to his knowledge, did not attend the DA conference in Hartenbos and emphasised that he did not meet with Mr Du Plessis at the conference as is implied in the Alleged Email.

Other enquiries

Mr Du Plessis' access to office building of the Municipality and the PGWC offices at no 7 and no 15 Wale Street on 8 March 2010

330 The "Date" view of the Alleged Email reflects that the date and time it was sent or received was: "2010/03/08 13:24:36 PM", i.e. Monday 8 March 2010 at 13h24.

331 As set out above, Mr Du Plessis informed us that whilst he was at the Municipality on the morning of 8 March 2010, he left early to, amongst other things prepare for and attend a meeting at Cape Town.

332 We obtained from Mr Lottering the log of Mr Du Plessis' access to the Municipality's office building on 8 March 2010 (attached as Annexure 4).

333 The log shows that Mr Du Plessis first entered the Municipality's buildings at 06:42 AM. The last activity of Mr Du Plessis on 8 March 2010 as per the log is at

10:05 AM indicating that Mr Du Plessis left the building (i.e. "OK Normal Out").

334 Accordingly, the access log provided by Mr Lottering indicates that Mr Du Plessis was not at the Municipality after 10:05:52 AM on 8 March 2010.

335 We also requested the logs of Mr Du Plessis' access to the PGWC buildings on 8 March 2010. These logs were obtained by the Forensic Investigative Unit of PGWC.

336 The log (attached as Annexure 5) indicates that Mr Du Plessis first gained access to a PGWC building (i.e. 7 Wale Street basement parking) at 14h22 on 8 March 2010.

The DA Conference in Hartenbos: 5 to 7 March 2010

337 The Alleged Email implies that Mr Du Plessis attended the DA's conference which was held in Hartenbos from 5 to 7 March 2010, where the Alleged Email alleges that he interacted socially with Mr Bredell. Both Messrs Du Plessis and Bredell deny that Mr Du Plessis attended the conference in Hartenbos.

338 In this regard, we obtained from Ms Griesel copies of the attendance registers of the individuals who attended the conference in Hartenbos. The registers provided to us do not reflect the name of Mr Du Plessis as having attended the conference.

IV THE MUNMANAGER EMAIL ADDRESS AND TEST EMAILS SENT FROM THIS ADDRESS

Procedures performed in addition to the Forensic Technology Procedures

401 In order to gain additional assurance as to the authenticity of the Alleged Email, we determined the circumstances under which an actual email communication, sent from the Municipality to PGWC, could have the similar visible characteristics as those reflected on the Alleged Email. This was done by sending a number of test emails. Further details are set out below.

402 Furthermore, email communication sent from the Municipality to PGWC would have traversed through a number of servers and exchanges, such as Anti-Virus Servers at the Municipality and relays at PGWC. We reviewed logs from these servers/systems and further details are set out below.

Munmanager email address

Proxy users of the address

403 The Municipality's email addresses are operated using GroupWise software. These email accounts can be accessed in two ways:

• Connecting to the Municipality's Novell server using a network connection point (i.e. hereafter referred to as a ‘network log-in"). To access GroupWise in this manner, the user would have to be at the Municipality's buildings and log onto Novell by means of Novell software and a network connection point; or

• Logging on using the internet (also referred to as webmail). A Municipal GroupWise email address can be accessed from any location with internet access provided that the user has the required password.

404 Our enquiries from the Municipality's Novell server (screenshot attached as Annexure 6) indicated that the (proxy) users who have been granted access to the Munmanager address are:

• Ms Rooifontein; and
• Ms Basson.

405 Mr Muller informed us that the Munmanager address was created following a request from a former Municipal Manager of the Municipality who requested an email address from which "generic" emails and emails of an official nature could be sent and received.

406 The Munmanager address is in addition to an email address in the specific name of the Municipal Manager from which correspondence of a personal or privileged nature could be sent and received.

407 Mr Muller informed us that the Municipal Manager is the implied "custodian" of the Munmanager address.

408 The email address [email protected] is an alias address for [email protected]. Effectively the email system treats these two addresses as exactly the same.

Password access to the Munmanager address

409 Attached as Annexure 7 is a screenshot from Novell which indicates that the Munmanager email address' password has not been changed since 30 August 2006.

410 We attempted a network log-in of the Munmanager GroupWise address from Mr Le Roux's computer (in his presence) using only the "Munmanager" user name. We successfully managed to log onto the Munmanager address without the use of a password. Thus, it appears that the Munmanager email address was not assigned a password and this has been the case since 30 August 2006.

411 However, when we attempted to log into the Munmanager address using the internet (i.e. webmail) we were not able to log into the address without a password.

412 Mr Muller confirmed that a user is not able to log into a GroupWise email address via the internet without specifying a password. Accordingly, where a GroupWise email address does not have a password assigned to or set up in respect of that address, a user would not be able to log into that address via the internet.

413 However1 any person who is logged onto the Municipality's server (i.e. via a network log-in at the Municipality's buildings) would be able to access the Munmanager address without a required password.

Mr Du Plessis PGWC GroupWise log-in activity on 8 March 2010

414 In Section III above, we provide details of Mr Du Plessis's access to and from the office building of the Municipality and the PGWC offices at Wale Street Cape Town on 8 March 2010. Based on these access logs, Mr Dii Plessis was not at the Municipality after 10:05:52 AM and first entered the PGWC buildings at 14:22 on that day.

415 We obtained details of the times that Mr Du Plessis logged into the PGWC GroupWise server on 8 March 2010. These logs showed that Mr Du Plessis logged into the PGWC GroupWise servers using the internet (i.e. referred to as "WebAccess" on the log) at the following times (the log-out times are not provided):

• 07h11;
• 08h36;
• 12:21; and
• 13:05.

416 As we noted above, where a GroupWise email address does not have a password assigned to or set up in respect of that address, a user would not be able to log into that address via the Internet.

Mr Bredell's email address

417 Our enquiries from the PGWC server (screenshot attached as Annexure 8) indicated that the email address [email protected] has been assigned to Mr Bredell.

418 The email address [email protected] has been assigned to the Department Environmental Affairs and Development Planning (screenshot attached as Annexure 9).

Test emails

419 In section III above, we provided further details regarding the visible characteristics of the Alleged Email (Annexure 1). We noted that the document does not reflect the actual complete email addresses of either the alleged sender or the alleged recipient.

420 We sent a number of Test emails from a variety of email addresses in order to ascertain the conditions (if any) under which an email could be sent from the Municipality (nameStellenbosch.org) to PGWC ([email protected]) and where the email addresses of both the sender and recipient are not reflected as is the case in respect of the Alleged Email.

Test email from Munmanager to Mr Bredell's PGWC email address

421 We requested that Mr Le Roux send an email from the Munmanager address to Mr Bredell's PGWC address (abredellpgwc.gov.za) (attached as Annexure 10).

422 The test email has the following obvious differences when compared to the Alleged Email:

423 It is evident from the above that when an actual test email was sent from the Munmanager address to Mr Bredell the complete email addresses of both the sender (mmcstellenbosch.orq) and recipient ([email protected]) are reflected in the test email when printed at PGWC.

424 Furthermore, the "Date" view of the test email does not reflect seconds in the time.

425 The default signature on the Munmanager address at the date the test email was sent to Mr Bredell reflected "Stellenbosch Munisipaliteit (in Afrikaans) as compared to "Stellenbosch Municipality" as reflected in the Alleged Email. As noted above, the Alleged Email's signature contains a mixture of English and Afrikaans terms (i.e. "...Municipality", "Faks" and "Epos").

426 Ms Basson informed us that whenever she sends and email from the Munmanager address she changes the default language of the signature either to English or Afrikaans, depending on the language used in the email.

Test email when contacts are added to Address Books on GroupWise

427 In view of the fact that the Alleged Email does not reflect the complete email addresses of both the alleged sender and recipient, we tested whether this absence could be attributed to the fact that the Munmanager address contains the name "Anton Bredell" as a contact in its GroupWise Address Book, whilst Mr Bredell's PGWC GroupWise Address Book also contains the name "Municipal Manager" as a contact.

428 In this regard, we requested that Mr Le Roux (at the Municipality) create a contact entitled "Pgwc IT" in his GroupWise Address Book for Mr Coleman (at PGWC with an email address of [email protected]). We also requested that Mr Coleman create a contact entitled "Stellenbosch IT" in his GroupWise Address Book for Mr Le Roux (with an email address of [email protected]). We then requested that Mr Le Roux send a test email to Mr Coleman.

429 The test email received by Mr Coleman is attached as Annexure 11. After having added Mr Le Roux's email address as "Stellenbosch IT" to his GroupWise Address Book, the "From" and "To" views when printing the email still reflects Mr Le Roux's complete email address (with no reference to "Stellenbosch IT") as well as his own complete email address.

430 We requested that Mr Le Roux print the abovementioned email from the "Sent items" view of this GroupWise address (attached as Annexure 12). When printing the Sent email (sent to PGWC) from the Municipalis GroupWise server, the "To" and "From" views of the test email do not reflect the complete email addresses of both the sender and the recipient.
431 Based on the above it is evident that when a sender of an email at the Municipality ([email protected]) have added the recipient of the email at PGWC (name(pqwc.gov.za) to its GroupWise Address Book and the email is then printed from the sender's Sent Items (and not printed by the recipient) the "To" and "From" views of such an email do not reflect the complete addresses of both the sender and recipient.

The GroupWise email system used by The Municipality allows emails to be saved as draft documents. We performed a test to establish the address characteristics of a draft email which is printed from the GroupWise system. This test email is attached as Annexure 1 2A and does not reflect the complete addresses of both the sender and recipient provided that the recipient forms part of the sender's address book.

Thus only in these circumstances (either a draft or a sent email) will the address characteristics of the email resemble that of the alleged communication (the Alleged Email) by not reflecting the complete addresses of both the sender and recipient of the email.

432 However, we ascertained that the Munmanager address did not contain the name "Anton Bredell" as a contact in its GroupWise Address Book as at 12 April 2010 (screenshot of enquiry attached as Annexure 13).

433 We noted an anomaly in respect of the time as it is reflected in the "Date" view of the Alleged Email. The Alleged Email displays the time in the 24 hour format but also includes "PM" in the format (i.e. "13:24:36 PM2").

434 Mr Le Roux provided us with a copy of an email sent from the Munmanager address which was printed from the "Sent items" view at the Municipality. When printed (attached as Annexure 14) the time reflected in the "Date" view is in the following format: "04:19 PM". Whilst this format includes the post-fix "PM", the time is not in the 24 hour format as is reflected in the Alleged Email.

Review of logs

Anti-virus server of the Municipality

435 Mr Le Roux informed us that all outgoing and incoming emails at the Municipality have to traverse through the Trend Anti-Virus Server of the Municipality.

436 Mr Le Roux provided us with copies of the logs from the Municipality's Anti-Virus server (attached as Annexure 15) for the period 8 March 2010 to 10 March 2010 in respect of all emails sent from the Municipality to PGWC (*.pgwc.gov.za).

437 We did not identify that an email was sent during the period 8 March 2010 to 10 March 2010 from the Munmanager address to "Anton Bredell" from these logs. As an illustration, the Anti-Virus log records that the following emails were sent from the Municipality to PGWC on 8 March 2010 between 13h00 and 14h00:

DEPARTMENT OF THE PREMIER FINAL REPORT
PGWC GroupWise Internet Agent

438 We obtained a download of the logs (from Mr Coleman) of the PGWC GroupWise Internet Agent which sets out all incoming and outgoing external emails received by and send from PGWC to I from Stellenbosch.org.

439 We attach screen-prints of the logs for the period 2010-03-05 14:02:26 to 2010 3-10 05:39 as Annexure 16.

440 We did not identify the Alleged Email as an incoming (or outgoing) email to PGWC on the abovementioned dates reviewed.

Other logs

441 Mr Coleman informed us that emails are transmitted to and from PGWC via the SITA network, where the communication traverses through a number of devices.

442 In this regard, we requested the Anti-Virus and mail exchange logs maintained by SITA. However, Mr Alexander informed us that SITA only retains mail logs for 32 days and that the logs in respect of 8 March 2010 have been discarded.
V FORENSIC TECHNOLOGY PROCEDURES

Acquisition

Forensic images

501 We performed forensic images of the hard disk drives of the following computers:

•  Ms Roolfontein;
• Ms Basson;
• Mr Cilliers;
• Mr Bredell; and
• The PGWC email server.

502 Access to the abovementioned computers were provided to us by the relevant IT Departments of the Municipality and PGWC.

503 Fastbloc write blocking devices were utilised where computer hard disk drives were removed from computers. For all other forensic imaging where hard disk drives could not be removed or connected to our equipment, we utilised our specialised forensic software to perform network acquisitions of the data.

Copies of data

504 We obtained copies of the data in respect of the following:

• Mr Du Plessis PGWC laptop; and
• The Munmanager address.

505 Due to the nature of the hard disk drive technology of Mr Du Plessis' laptop computer (solid state) a forensic image of this hard disk drive was not performed since an image would not reveal any deleted information.

506 The Munmanager address is set up on the Municipality's email server, which is installed on a virtual environment on a SAN with RAID.

507 We were not able to obtain an image of the Stellenbosch mail server on which the Munmanager address resides. The image creation process crashed after numerous attempts and there was insufficient space on the Municipality's server to extract the data.

508 Data restores of the Stellenbosch mail server were not possible due to space limitations as well as the backups for the specific week in question not being available (week of 8 March 2010). The Stellenbosch IT department were not able to perform backups of the email server during that week (refer Annexure 17).

509 Our consultations with the Municipality's third party IT service provider (Datacentrix) confirmed that due to the size of the virtual data, the performance of an image would not be advisable (refer Annexure 18).

510 Accordingly, we only performed an extraction of the Munmanager address.

Backup of acquired data

511 The abovementioned acquired data was backed up and is retained by us.

Recovery of files and folders

512 Recovering files and folders is a function that allows the examiner to ‘pull back and recover' any potentially deleted files, folders or emails. This is performed in every investigation to recover potential evidence that has been deleted, including the recovery of files deleted from the Recycle Bin. We performed a recovery on all hard drive forensic images mentioned above in order to determine if there were any deleted documents or emails on the computers examined.

513 However, at the date of this report, we have not as yet been able to extract or access the files contained on the forensic image of the PGWC mail server. Due to the size of the data on this server, the restoration and analysis process of this data will require another week to be completed.

514 Mr Coleman informed us that a restoration of the PGWC backup of email data around 8 March 2010 will not be practicable due to limitations in respect of PGWC equipment.

Search feature

515 We used both automated as well as manual searches on the data acquired. Automated searches using our specialised forensic software were performed whereas manual searching techniques were utilised on the copied data.

516 In view of the fact that, by default, emails are not stored locally on any of the computers used by individuals within PGWC and the Municipality, we were not able to perform email searches on user computers.

Use of specialised forensic software

517 The search scanning feature of our specialised forensic software was utilised in respect of the abovementioned forensic images (set out in 501 above) except in respect of the PGWC server in view of the fact that the restoration and analysis of the PGWC mail server is not yet complete.
518 The scanning covered data within various file types such as documents, internet history and file signatures. The automated scans did not reveal any data pertaining to the Alleged Email.

Manual procedures

519 Manual search techniques were performed in respect of the data copies mentioned above (set out in 504 above). We performed manual searches on the data in order to establish if the Alleged Email exists. These searches did not reveal any data pertaining to the Alleged Email.

VI CONCLUSION

601 Based on the work performed by us we conclude that the alleged email was not sent by Mr du Plessis to Mr Bredell. This conclusion is primarily based on:

• The visible characteristics of the alleged email;
• The fact that Mr du Plessis did not have access to the Stellenbosch Novell server at the time; and
• The fact that we could find no trace of the alleged email on any of the servers used to process the flow of emails from Stellenbosch to PGWC.

(Transcribed from PDF format: As a result there may be small errors and changes in the text.)

Click here to sign up to receive our free daily headline email newsletter