RAR Times: Local or UTC?

Some reviewers have questioned the claim stated in the Guccifer 2.0 NGP/VAN Metadata Analysis report that the .rar files analyzed in that study recorded file times in local (relative) time.  In short, newer implementations of WinRAR use the “version 5” format and in that format times are recorded as UTC times.  However, the .rar files analyzed in this study use the older version 4 format which records times in “local” (relative) format.

A 4chan user asserted that the analysis was flawed:


A fellow 4chan user corrected the misunderstanding.


As background, WinRAR has been around a long time; its file format has changed over time.  In recent releases of WinRAR the default format is version 5.  However, in previous releases, the version 4 format was used.  We can turn to the WinRAR help screen for clarification.


To confirm that version 4 .rar files were found in the “NGP VAN” 7zip fie we can consult one of the screenshots from the report.


Given that the .rar files are all in version 4 format, we can safely assume that the file times recorded in those archives are in local (relative) time, not UTC.

  2. How do you support the claim that this was the original download? For example, is it possible that the files were accessed remotely, and THEN the downloaded files were copied onto a drive on a computer on the east coast?


    1. Please re-submit your comment to the main thread, https://theforensicator.wordpress.com/2017/07/09/guccifer2-metadata-analysis/ and I will reply there. Also, please clarify/extend your current comment. Are you saying, something like DNC -> Romania -> US East Coast? Are you assuming that any of those two links can sustain 23 Mbytes/sec? (note: above, I’m using DNC as origin, Romania as intermediary only because that was G2’s original claim. Use whatever nomenclature you’re comfortable with).


