Folder containing second tranche of emails taken from University of East Anglia server included a message from the perpetrator in an encrypted text file

A mysterious encrypted folder released online last week containing a further 220,245 private emails exchanged between climate scientists includes another message from the perpetrator, the Guardian has learned.

When the second tranche of emails taken from a University of East Anglia server in late 2009 were uploaded onto a publicly accessible Russian server last Tuesday, the folder they were contained in - named "FOIA2011" – also included a message from the perpetrator in a README.txt file. In addition, it included an encrypted folder called "All.7z", containing 137MB of compressed text files, presumed to be the remaining emails, as promised in the public message.

Igor Pavlov , the Russian programmer who designed the popular 7-Zip compression software used by the perpetrator, has examined the encrypted file and confirmed that it includes another manually created README.txt file.

"7-Zip doesn't place files [inside folders] that were not specified by the user," said Pavlov. The encrypted text file is very small - just 211 bytes in size - but is large enough to contain, say, a couple of sentences. By comparison, the README file made public by the perpetrator last week contained 3,607 words, totalling 24,576 bytes in size.

But Pavlov stressed that it is highly unlikely anyone other than the perpetrator - the person who holds the folder's "passphrase", or password - will be able to force their way into the encrypted "All7z" folder. "7z encryption can be broken only if the password is simple and short," said Pavlov. "For example, a 7z archive with a password of eight characters is breakable. A 7z archive with a password of 12 characters is breakable, but only if you can provide enough computational resources to crack it. However, a 7z archive with a password of, say, 40 characters is probably unbreakable in the foreseeable future. If the password is long, the attacker must break AES-256 encryption. And there is currently no information that someone can break AES-256."

AES stands for Advanced Encryption Standard, a computer security standard that was introduced in 2002. "256" refers to the algorithmic cipher that encrypts and decrypts using 256-bit blocks of data.

Pavlov also revealed that the perpetrator - by design or accident - did not encrypt the file names contained within the "All.7z" folder, despite having that option available to them. "The 7z format allows the user to keep the folder's file list in unencrypted form," said Pavlov. "But the 'All.7z' file list includes the names and sizes of files. So only the file data itself was encrypted in that archive."

The file names contained within the "All7z" file list all follow a common numbering formula, ranging from "999981722" to "1000064167". All the files were generated at 19:00:05 on 1 January, 2011, but it can only be speculated whether this is an accurate reflection on when the perpetrator first chose to compress the files using 7-Zip.

The "All7z" file list also provides another insight: the time and date that the folder was compressed and encrypted by the user for the last time. It reveals that this occurred at 19:04:24 on 21 November, 2011, just a few hours before the perpetrator started to post links to the FOIA2011 folder on blogs popular with climate sceptics. The first-known link to the file was posted on the Air Vent blog at 05:08 on 22 November. Even without knowing the applicable time zones, this appears to confirm that the folder was not sitting on a public server for a long period of time undiscovered, but instead was uploaded just before being linked to.