from the Democratic National Committee (DNC) during the 2016 election cycle were most likely downloaded to a USB drive by someone with physical access to a computer connected to the DNC network. The analysis refutes the official narrative of the files being hacked remotely by the Russians – as popularized by the U.S. corporate media, without any actual evidence ever publicly presented.
— Kim Dotcom (@KimDotcom) July 21, 2017
The alleged DNC hacker, Guccifer 2.0, in an interview with Motherboard in June 2016, claimed he used a zero-day exploit to bypass security on the DNC servers and steal files, which he subsequently published under the title “NGP-VAN.”
While the DNC leak was quickly attributed to the Russian hackers by U.S. intelligence agencies, a document published by an individual going by the name Forensicator reveals how the 7-zip file published by Guccifer 2.0 was transferred at a speed of 23 MB/s, making it “unlikely that this initial data transfer could have been done remotely over the Internet.”
“The initial copying activity was likely done from a computer system that had direct access to the data,” the report from the Forensicator stated. “By ‘direct access’ we mean that the individual who was collecting the data either had physical access to the computer where the data was stored, or the data was copied over a local high speed network (LAN).”
Below are some of the key findings presented by the Forensicator’s report:
• On 7/5/2016 at approximately 6:45 PM Eastern time, someone copied the data that eventually appears on the “NGP VAN” 7zip file (the subject of this analysis). This 7zip file was published by a persona named Guccifer 2, two months later on September 13, 2016.
• Due to the estimated speed of transfer (23 MB/s) calculated in this study, it is unlikely that this initial data transfer could have been done remotely over the Internet.
• The initial copying activity was likely done from a computer system that had direct access to the data. By “direct access” we mean that the individual who was collecting the data either had physical access to the computer where the data was stored, or the data was copied over a local high speed network (LAN).
• They may have copied a much larger collection of data than the data present in the NGP VAN 7zip. This larger collection of data may have been as large as 19 GB. In that scenario the NGP VAN 7zip file represents only 1/10th of the total amount of material taken.
• This initial copying activity was done on a system where Eastern Daylight Time (EDT) settings were in force. Most likely, the computer used to initially copy the data was located somewhere on the East Coast.
• The data was likely initially copied to a computer running Linux, because the file last modified times all reflect the apparent time of the copy and this is a characteristic of the the Linux ‘cp’ command (using default options).
• A Linux OS may have been booted from a USB flash drive and the data may have been copied back to the same flash drive, which will likely have been formatted with the Linux (ext4) file system.
• On September 1, 2016, two months after copying the initial large collection of (alleged) DNC related content (the so-called NGP/VAN data), a subset was transferred to working directories on a system running Windows. The .rar files included in the final 7zip file were built from those working directories.
• The computer system where the working directories were built had Eastern Daylight Time (EDT) settings in force. Most likely, this system was located somewhere on the East Coast.
• The .rar files and plain files that eventually end up in the “NGP VAN” 7zip file disclosed by Guccifer 2.0 on 9/13/2016 were likely first copied to a USB flash drive, which served as the source data for the final 7zip file. There is no information to determine when or where the final 7zip file was built.
The Forensicator’s analysis noted that data from the 7-zip file showed the .rar files were built on September 1, 2016, while the other files were last modified on July 5, 2016. According to the report, “when the .rar files are unpacked using a program called WinRAR, their timestamps were preserved from the date they were transferred. The subsequent timestamps of those .rar files were relative times, while the times recorded in the 7-zip files are absolute times, recorded in Coordinated Universal Time (UTC).” The Forensicator concluded that if the .rar files were adjusted to Eastern Time, they “fall into the same range as the last modified times for the directories archived in the .rar files.”
Thus, the Forensicator’s analysis determined that the files were likely built on a computer system running on Eastern Daylight Savings Time (EDT) timezone, meaning that the system was most likely located somewhere on the East Coast of the United States.
Additionally, the Forensicator also generated a list of the files sorted by the date they were last modified and imported the list into an Excel spreadsheet. Analyzing the files by date last modified, he observed that the last modified times were clustered together in a 14-minute time period on July 5, 2016.
In an analysis of the metadata, he found a majority of the time it took for the files to be copied, 12 minutes and 48 seconds of the 14 minutes and 15 seconds, was allocated to “time gaps” that appear between several top-level files and directories. The report concluded that this indicated that the files were chosen from a much larger collection of files.
Finally, and perhaps most damning of all, the transfer speed of the files published by Guccifer 2.0, was determined by the Forensicator, which he concluded that if the 1.98 GB 7-zip archive published by Guccifer was copied at a rate of 22.6 MB/s, and all the time gaps were attributed to additional file copying, the initial file copy would be 10 times larger, or 19.3 GB.
All of this leads to a likely conclusion that Guccifer 2.0 is/was a U.S. intelligence asset deployed to muddy the waters surrounding the DNC leak and shift blame to the Russians.
What, if any, independent, verifiable evidence is there that Guccifer 2.0 hacked the DNC?
Basically, there is no evidence to show the Guccifer 2.0 persona was Wikileaks source. There is no evidence that he actually hacked into the DNC beyond the fact he had acquired some DNC/DCCC documents. Conversely, there is significant evidence to contradict his claims thanks to ThreatConnect discrediting his breach claims, and revealing that he was intentionally working to get attributed for the malware discoveries!
Even more damning, according to Forensicator, the Guccifer 2.0 persona curiously chose to “use a Russian VPN (after choosing to taint documents with Russian language) and was noted to have been in possession of a password for a password-protected area of the DCLeaks site (which, plausibly, he could have been given after promising to upload some of his leaks – DCLeaks were willing to give the same password out to the press in exchange for the promise of writing a story about them!)”
Virtually everything previously reported about the Guccifer 2.0 persona has been based on assumption, acceptance of his admissions as factual, with the U.S. public being propagandized by a corporate media to take his conjecture at face value, while the real story is who is behind this persona, and for what purpose?
In summation, we’ve seen deliberately placed “Russian Fingerprints,” efforts to forge perceived association to Wikileaks and Seth Rich, and DNC breach claims discredited.
The report notes that, Guccifer 2.0 utilized “‘Trump Opposition Research’ like it was an identity card only one day after it was advertised by Shawn Henry in a Washington Post article. This likely U.S. intelligence asset publicly noted how he could only ever “hack” the DNC, lacked syntactical traits of a Russian speaking English and recently – has been shown as most likely to have accessed some of his files locally, while on the DNC network (within the Eastern Time zone).”
It appears likely that the appearance of the Guccifer 2.0 person was an intelligence operation designed to hide the fact that the DNC was not hacked by Russians, and was more than likely accessed by someone with physical access to the DNC servers.