35 By late July, NSA investigators made their initial assessment. They determined that most of the material had been taken from sealed-off areas, known in intelligence-speak as “compartments,” which in this case were files stored on computers that were isolated from any network. Each compartment electronically tracked all the activities that occur in them on their logs, including the password identity of any person who has gained entry to any compartment. From a forensic examination of these logs, NSA investigators were quickly able to reconstruct the timeline of the theft. The logs showed that an unauthorized party had begun copying files in mid-April, which was just days after Snowden began his job at the Center. The breach illicit activity ended just before Snowden’s last day of work there. So this piece fit in with Snowden’s guilt. The size of the theft was another matter. Ledgett was certainly in a position to know. Not only had he been in charge of the National Threat Center at the time of the Snowden breach, but he personally supervised the NSA’s damage assessment team. And, in the shake-up that followed that followed, he would replace Inglis as Deputy Director of the NSA. According to Ledgett, the perpetrator, moving from compartment to compartment, had “touched” 1.7 million documents. Of these “touched” documents, according to the analysis of the logs, more than one million of them were moved in mid-May by the unauthorized party to an auxiliary computer intended to be used for temporary storage by authorized service personnel. Finally, the data was transferred from this auxiliary computer to thumb drives. This download occurred just days before Snowden’ left the NSA on May 17, 2013, having told the agency that he needed a leave of absence to undergo medical treatment in Japan. The FBI further established from airport records that Snowden flew to Hong Kong the next day presumably with thumb drives containing, by the government’s calculation, over one milli