A study has been added which analyzes the file metadata in a 7zip archive file, 7dc58-ngp-van.7z, attributed to the Guccifer 2 persona. The analysis is here: Guccifer 2.0 NGP/VAN Metadata Analysis.
Guccifer 2.0 CF Files Metadata Analysis
Stephen McIntyre recently noted some interesting characteristics of a 7zip archive that Guccifer 2 published back in October, 2016. McIntyre refers to the publication of a large collection of documents and data by a persona known as Guccifer 2.0, which was announced on their blog on October 4, 2016.
Building on McIntyre’s work, The Forensicator analyzes metadata for the files in Guccifer 2.0’s “Clinton Foundation” file dump (cf.7z), dated July 5, 2016 – which shared the same date as those in the NGP/VAN files previously analyzed by the Forensicator in Guccifer 2.0 NGP/VAN Metadata Analysis.
The CF file metadata analysis can be found here: Guccifer 2.0 CF Files Metadata Analysis.
Comments on that analysis can be left here; comments will close on October 3.
Corrections and Clarifications
The Forensicator fully supports the work of the VIPS (Veteran Intelligence Professionals for Sanity) and agrees with their overall recommendation that a more thorough investigation of Russian hacking claims is needed. Ideally, this investigation would share more evidence and more convincing evidence than has been provided in previously disclosed US Intelligence reports.
Some reports in the media have been critical of aspects of the VIPS report, and then by implication have transferred their criticisms to the Guccifer 2.0 NGP/VAN Metadata Analysis. In the process, those reporters have demonstrated that they likely did not carefully read the Forensicator’s analysis or were not careful in making attributions.
Alternative Scenarios
When Forensicator began his review of the metadata in the NGP VAN 7zip file disclosed by Guccifer 2, he had a simple impression of how Guccifer 2 operated, based upon Guccifer 2’s own statements and observations made by a security firm called ThreatConnect. Forensicator viewed Guccifer 2 as a lone wolf hacker who lived somewhere in Eastern Europe or Russia; he used a Russian-aligned VPN service to mask his IP address.
Forensicator’s assumptions regarding Guccifer were not clearly stated, and this led to some confusion and controversy regarding claims in the report related to achievable transfer speeds over the Internet. Further, as the review process proceeded, alternative theories were suggested; they placed additional pressure on the Internet transfer speed claims and raised some additional interesting questions.
This article describes both the evolution of Forensicator’s analysis and two main alternative scenario themes that have emerged during the review process.
Peak (38 MB/s) Transfer Speed
In response to discussions regarding the max transfer speed of 22.6 MB/s cited in Guccifer 2.0 NGP/VAN Metadata Analysis, the Forensicator went back and took another look at the metadata and found strong evidence of peak transfer rates of approximately 38 MB/s. Although this higher peak transfer speed might not completely refute the counter-claims made by various critics (regarding transfer speeds that can be achieved over the Internet), it certainly raises the bar. Continue reading “Peak (38 MB/s) Transfer Speed”
If you find yourself in a hole, stop digging
The Guccifer 2.0 NGP/VAN Metadata Analysis report was released over one month ago. During that time period, there has been extensive reader feedback via posted comments and media coverage from various venues. Responding to the reader feedback was time intensive and a more thorough response was needed. To address those issues, The Forensicator has published three blog posts:
Continue reading “If you find yourself in a hole, stop digging”
The Need for Speed
Some reviewers have questioned the following conclusion in the Guccifer 2.0 NGP/VAN Metadata Analysis study.
Conclusion 7. A transfer rate of 23 MB/s is estimated for this initial file collection operation. This transfer rate can be achieved when files are copied over a LAN, but this rate is too fast to support the hypothesis that the DNC data was initially copied over the Internet (esp. to Romania).
Below, performance data is tabulated that demonstrate that transfer rates of 23 MB/s (Mega Bytes per second) are not just highly unlikely, but effectively impossible to accomplish when communicating over the Internet at any significant distance. Further, local copy speeds are measured, demonstrating that 23 MB/s is a typical transfer rate when writing a USB-2 flash device (thumb drive).
Hat Tip
Thanks go out to Elizabeth Vos at Disobedient Media who was the first to report on this analysis; her article can be read here. Thanks also to Adam Carter who maintains the g-2.space web site — the one stop shop for information that relates to Guccifer 2.0. You can reach Elizabeth and Adam on Twitter.