The Forensicator

The Need for Speed


Some reviewers have questioned the following conclusion in the Guccifer 2.0 NGP/VAN Metadata Analysis study.

Conclusion 7. A transfer rate of 23 MB/s is estimated for this initial file collection operation.  This transfer rate can be achieved when files are copied over a LAN, but this rate is too fast to support the hypothesis that the DNC data was initially copied over the Internet (esp. to Romania).

Below, performance data is tabulated that demonstrate that transfer rates of 23 MB/s (Mega Bytes per second) are not just highly unlikely, but effectively impossible to accomplish when communicating over the Internet at any significant distance.  Further, local copy speeds are measured, demonstrating that 23 MB/s is a typical transfer rate when writing a USB-2 flash device (thumb drive).

Below, are some representative discussions on the subject of the 23 MB/s rate cited in the study.

As we can see above, there was some confusion regarding the MB/s notation used in the analysis.  The analysis uses MB/s as a short form of “Mega Bytes per second” as detailed in MB: Mega Bytes or Mega Bits?  There is also some confused thinking that very fast local Internet transfer speeds in Romania will somehow make up for the very slow rates seen when traveling across Europe and then going trans Atlantic to Washington, DC.   To further complicate matters, various independent experts have asserted that Guccifer 2 used a Russian-based VPN service (through an end point in France) to communicate with various people.

In practice, actual transmission rates will fall well below the theoretical rates, because packets transmitted over the Internet have to transit many switches and must share bandwidth  with other users.  Further, copying multiple small files will increase the need for “hand-shaking” messages which further decreases the effective transmission speed.  The only way to find the actual speeds that can be achieved is to run tests.  The typical ISP provided “speed test” will show optimistic speeds, but they’re a start.  The following graphic shows the result of a cable provider’s speed test.

In that test, we accessed one of the provider’s hosts that is about 20 miles away (as the crow flies).  The 113.4 Mbits/s rate corresponds to a 14.2 MB/s rate – well below 23 Mb/s.

Here is another test, accessing a host that is on the opposite coast (3100 miles away).

We can see that increases in the distance traveled can have a major impact on the transmission speed.  In this test, accessing a host on the opposite coast cut the download speed by a factor of 7.

ThreatConnect, a security firm, determined that Guccifer 2 used a commercial VPN service to mask his IP address.  ThreatConnect’s analysis is described in a blog entry.  Their key finding is summarized below (emphasis added).

Now, after further investigation, we can confirm that Guccifer 2.0 is using the Russia-based Elite VPN service to communicate and leak documents directly with the media. We reached this conclusion by analyzing the infrastructure associated with an email exchange with Guccifer 2.0 shared with ThreatConnect by Vocativ’s Senior Privacy and Security reporter Kevin Collier. This discovery strengthens our ongoing assessment that Guccifer 2.0 is a Russian propaganda effort and not an independent actor.

In March 2017, Adam Carter followed up on ThreatConnect’s research [see in the section titled “UPDATE (12 March)”].   Adam disputes their claim that the VPN IP address used was somehow “dedicated” for use by Guccifer 2 and perhaps other hackers with connections to Russia.  Adam writes:
So… it turns out that if ThreatConnect had tried using the default options – they would have been allocated the “exclusive” IP address that was NEVER really exclusive.
They’ve caused concern and distress unduly for a VPN Service provider by misrepresenting the service and produced false-positive indicators by suggesting the IP address was used by a shady group of Russians/Guccifer2.0 with exclusivity.
The discussion above is provided as background, simply to establish that any experiment that intends to replicate Guccifer 2’s use of the Internet should use a VPN service and measure speeds over that VPN connection.
If we enable a VPN service targeting a nearby server and retry the speed test, we see the following.
The download speed over the VPN is roughly 60% of the speed of a direct connection.  There are probably a few reasons for this drop in speed: (1) the test no longer goes only through the provider’s network, (2) transiting the VPN server introduces another hop, (3) the VPN provider may implement bandwidth throttling, and (4) there may be additional overhead introduced by the VPN client, which is implemented in software.
The test results shown above are summarized in this table.
Even without introducing an intermediate VPN server, or going trans Atlantic, we can see that a transfer rate of 2 MB/s which is achieved when going cross country (US) is a factor of 10 slower than the 23 MB/s calculated in the report.
To measure and compare local transfer speeds to speeds achieved when copying from a close host on the Internet, we ran some tests copying the NGP VAN files on a file-by-file basis and then as a single big file (that was built by concatenating all the single files together).
A few observations:

Large single file copies were significantly faster than file-by-file copies as shown in the table below.


A few observations:

Finally, a few Internet only tests were run which copied a 100 MB file first from the Internet server used in the previous tests and then ran the same test using a VPN server at various geographic locations.

The following primitive diagram shows the Internet connectivity when a VPN server is interposed.

As we can see the VPN server passes through the communications between the PC and the Server.  We can select a VPN server at various distances from the PC to simulate communication to a server at various geographic locations.

The test results are shown in the table below.


When copying a single large file, we were able to achieve a transfer speed just a little faster than the vendor’s speed test which indicates that the test server’s Internet speed is sufficient to max out the local cable connection.  As we saw before, the speed drops noticeably when we enable the VPN service, even when the VPN server is close to the PC and the test server.  The transfer speeds drop into the range of 1 MB/s to 2 MB/s when communicating through Romanian, Ukrainian, or Russian VPN servers.

In conclusion the performance data above strongly supports the statement in the study:

A transfer rate of 23 MB/s is estimated for this initial file collection operation.  This transfer rate can be achieved when files are copied over a LAN, but this rate is too fast to support the hypothesis that the DNC data was initially copied over the Internet (esp. to Romania).