When Forensicator began his review of the metadata in the NGP VAN 7zip file disclosed by Guccifer 2, he had a simple impression of how Guccifer 2 operated, based upon Guccifer 2’s own statements and observations made by a security firm called ThreatConnect. Forensicator viewed Guccifer 2 as a lone wolf hacker who lived somewhere in Eastern Europe or Russia; he used a Russian-aligned VPN service to mask his IP address.
Forensicator’s assumptions regarding Guccifer were not clearly stated, and this led to some confusion and controversy regarding claims in the report related to achievable transfer speeds over the Internet. Further, as the review process proceeded, alternative theories were suggested; they placed additional pressure on the Internet transfer speed claims and raised some additional interesting questions.
This article describes both the evolution of Forensicator’s analysis and two main alternative scenario themes that have emerged during the review process.
Forensicator’s initial view of Guccifer 2 fed into this statement in the Findings section of Guccifer 2.0 NGP/VAN Metadata Analysis: “Due to the estimated speed of transfer (23 MB/s) calculated in this study, it is unlikely that this initial data transfer could have been done remotely over the Internet.” That finding came under fire, partly because when taken out of context, it was counter to many people’s experience. The report should have provided the necessary context to evaluate that claim, but did not.
As Forensicator’s metadata research proceeded, some other findings emerged.
There was evidence of two copy operations, one on July 5, 2016 and another on Sept. 1, 2016; both had Eastern time zone settings in force. The file last mod times for the first copy suggested the use of the Unix/Linux ‘cp’ command, which is typically used to copy files locally. The files created by the second copy operation had file times recorded with 2 second resolution. This suggested a FAT-formatted media which in turn suggests the use of something like a USB flash drive. The file transfer times on the first copy were in line with the use of a USB-2 device and seemed too fast for most Internet users, especially those using a VPN or some other intermediate system used to mask their IP address.
All those factors, and a few more, fed into Forensicator’s conclusion that it was probable that there were two local copy operations and by implication, the files were not just dragged back over the Internet by the remote hacker named Guccifer 2.
This simplified view changed as reviewers and blog commenters went through Forensicator’s analysis and searched for scenarios that might fit the facts but would preserve a remote hack narrative. There is quite a range of alternative scenarios; here are two common themes.
- The local pivot. Here, “local” means somewhere on the East Coast (to get the time zone) and “pivot” means that the files are first collected on this intermediate host (to get the ‘cp’ pattern of last mod times). By introducing a close local host, hitting the oft-mentioned 23 MB/s transfer speed is going to be easier. To achieve this rate, this intermediate host has to have a very fast Internet connection. Some challengers of Forensicator’s analysis point to announcements of Google Fiber service on the East Coast in the summer, 2016 time frame. Some have suggested that the hypothetical hacker takes control of a commercial server which might be called a “well-connected server” because its Internet service has a direct connection to one/more systems attached to an Internet back bone.
- Change the time zone settings to ET. This scenario is probably the strongest of the two, because it avoids the Internet speed issue, avoids the need to find a local pivot and so on. Basically, if the hacker has his time zone set to Eastern, he can transfer the files over the Internet at whatever speed he wants, then make a local copy with ‘cp’ and it will technically be a “local copy” with Eastern time settings.
Before discussing his counter-arguments, Forensicator wants to thank everyone who provided comments. The blog was set up for open discussion and has met that purpose; (Forensicator censored no comments, except those that were obvious spam.)
On the “local pivot” theory and its variants.
- Probably the biggest problem with any “local pivot” theory is that it addresses only the first copy operation on July 5, 2016 and does not address the second copy operation on Sept. 1, 2016. For the second copy, we have: (1) ET time settings, (2) FAT-formatted media (typically a thumb drive); both of those observations must be explained by any viable counter-scenario.
- The hacker needs a way to hide his IP address. Unless he is willing to stage a “smash and grab”, and ditch the intermediate host that he commandeered, he will resort to the usual methods: VPN, Tor, bot chain and so on. All of those tactics will slow down the transfer speed, probably significantly.
- A recent re-analysis of the metadata has raised the bar for required transfer speed from 23 MB/s to 38 MB/s.
- Transfer speeds are a factor of both the hacker’s download speed and the hypothetical DNC server’s upload speed. On this latter point, we have no information regarding the nature of the DNC’s Internet service. In fact, per a recent report in The Hill, “The DNC would not provide details about its upload speeds in July of 2016“. That is understandable, but makes it impossible to make any definitive statements regarding how fast data might be transferred from a DNC server to the hypothetical local pivot host.
- Finding and commandeering a local pivot host is going to be roughly twice as difficult as hacking a single DNC server. Add to that, this hypothetical host probably has to have fiber service or have commercial grade Internet service. The obstacles keep stacking up, and the probability that all these factors will come together keeps going down.
- A commenter has posted impressive Speedtest results (between Sweden and DC). Another relayed anecdotal information that at a university where they studied, or a company they work for now, they think that the 23 MB/s transfer rates over the Internet are achievable. Forensicator is willing to accept those reports as valid and has asked for confirmation by actual experiment (of say, copying a 100 MB file from somewhere in the US back to somewhere in Europe). So far, the results of such experiments have not been forthcoming.
- The points above focus on the transfer speed between the hypothetical DNC server and a hypothetical intermediate (pivot) host. There is a scenario that says that the files were copied to this intermediate host at a rate that isn’t particularly fast, but then the files are copied again locally before being transferred back upstream. This scenario is the same as placing the pivot inside the DNC (the “local local” pivot). The main data point arguing against that is that although a transfer speed in the range 23-38 MB/s is pretty fast, it is still slower than typical transfers to a directly attached disk. The “Need for Speed” study confirms this. That observation together with evidence of a second copy operation (ET settings and FAT-formatted media) helps break any potential tie, when arriving at the conclusion that the files were copied locally.
On changing the time zone setting and its variants.
- Background: In Forensicator’s metadata analysis report, he concluded that US Eastern time zone settings were in force for both the first copy operation on July 5, 2016 and the second on Sept. 1, 2016. He arrived at this conclusion by noticing an obscure relationship between the way 7zip files record times (UTC) and .rar (version 4) files record times (local). When the 7zip file was opened on the West Coast, the times shown were 3 hours earlier than those shown in the .rar files. From this, Forensicator concluded that Eastern time settings were in force.
- Forensicator takes the position that this relationship which establishes Eastern time settings is sufficiently obscure that it was not known by the person (or persons) copying the files and later putting them together into .rar files and the final .7z file. This rules out the idea that this person (or persons) wanted the time zone setting to be discovered.
- Many tech savvy computer users know that time zone settings can leak out in Office documents, emails, PDF’s, and so on; they are unlikely to think that copying files will leak the time zone setting. Therefore, there is no inherent reason to set the time zone explicitly, when copying files. This leaves only the idea of setting it routinely.
- A commenter offered the idea that a Russian hacker might routinely set his time zone to Eastern Time (US) as a way of obscuring his location. Forensicator notes that for Guccifer 2 in particular, a Romanian time zone would make more sense; for mis-direction – China or North Korea seem likely.
- The most routine time zone setting is the zone where the computer is located. Some operating systems will do this automatically as an option.
- If the hypothetical hacker did change his time zone setting, a Romanian time zone seems the most likely of all the choices, because it agrees with Guccifer 2’s story line.
It is expected that, alternative theories will be floated to fit the facts — fitting the facts makes them possible, not necessarily probable. Ultimately, it is the person who reads the Forensicator’s report who will have to make the call. Forensicator has explained his reasoning on how/why he reached his conclusions.
Forensicator maintains his position that the most probable and plausible interpretation of the observations derived from the NGP VAN 7zip metadata is:
There is evidence that suggests the files in the NGP VAN archive were copied (twice) locally, on the East Coast, US. Further, there are indications that a USB-2 capable media may have been used for the first copy operation on July 5, 2016 and that a FAT-formatted media was used in the second copy operation on Sept. 1, 2016. (A USB flash drive is one of the most popular FAT-formatted media, but there are others including SD cards and removable hard drives.)