Corrections and Clarifications

The Forensicator fully supports the work of the VIPS (Veteran Intelligence Professionals for Sanity) and agrees with their overall recommendation that a more thorough investigation of Russian hacking claims is needed.  Ideally, this investigation would share more evidence and more convincing evidence than has been provided in previously disclosed US Intelligence reports.

Some reports in the media have been critical of aspects of the VIPS report, and then by implication have transferred their criticisms to the Guccifer 2.0 NGP/VAN Metadata Analysis. In the process, those reporters have demonstrated that they likely did not carefully read the Forensicator’s analysis or were not careful in making attributions.

Correcting the Record

For a detailed discussion on problems with how the media reported on the Forensicator’s analysis and other work derived from that analysis, please refer to:

Clarifications: the VIPS report

The VIPS article [July 24, 2017] describes the following as a “Key Event” (their emphasis):

July 5, 2016: In the early evening, Eastern Daylight Time, someone working in the EDT time zone with a computer directly connected to the DNC server or DNC Local Area Network, copied 1,976 MegaBytes of data in 87 seconds onto an external storage device. That speed is much faster than what is physically possible with a hack.

The Forensicator responds to the statements above as follows:

  • The Guccifer 2.0 NGP/VAN Metadata Analysis describes a copy operation that (based on the metadata) occurred in the early evening on July 5, 2016.  No claim is made in the report that the data might not have been copied earlier nor whether it might have been copied or leaked.
  • The analysis determined that this first (of two) copy operations was done using a computer that had Eastern time zone settings in force.  The Forensicator adds that the computer was likely on the East Coast.
  • No claim was made in the Forensicator’s analysis that this computer was connected to a DNC server.  That may have been mentioned in a reply to a comment as a hypothetical scenario when discussing aspects of the analysis that would support such a claim.
  • No claim was made in the analysis that the data disclosed in the NGP VAN 7zip file published by Guccifer 2 was derived from data taken from a DNC server.  Guccifer 2 alluded to that.  The “Findings” section refers to the data this way: “On September 1, 2016, two months after copying the initial large collection of (alleged) DNC related content …” (emphasis added).
  • No claim was made in the analysis that the estimated transfer speed  “is much faster than what is physically possible with a hack” [VIPS].  Rather the statement was “this rate is too fast to support the hypothesis that the DNC data was initially copied over the Internet (esp. to Romania)“.  They’re close; they differ in degree of certainty and the Forensicator added the qualifier “(esp. to Romania)“.
  • The Forensicator’s report makes no reference to “hack”, “leak”, or “server”.

There may be other over-ambitious extrapolations made by the VIPS in their report. Scott Ritter who declined to sign onto the VIPS memo, offered his perspective in an article on [July 28, 2017 – four days after the VIPS article was published].  Here is an excerpt. The “forensics analysts” that Scott refers to below are The Forensicator and Adam Carter.

The analysis contained in the VIPS memorandum contradicts such an assertion. Unfortunately, this conclusion is not supported by the data. I reached out to the forensic analysts who conducted the analysis of the metadata in question. They have stated that there is no way to use the available metadata to determine where the copying of the data was done. In short, one cannot state that this data proves Guccifer 2.0 had direct access to the DNC server or that the data was located in the DNC when it was copied on July 5, 2016. These same analysts also note that the July 5 date that is pervasive on the metadata probably overwrote all prior modification times, meaning it is impossible to ascertain if there were any prior copy operations.

Scott places the VIPS report into perspective.

The implications of the conclusions reached in the VIPS memorandum (if not the actual technical analysis it relied on) are staggering: The DNC “hack” was actually a cyber-theft perpetrated by an insider with direct access to the DNC server, who then deliberately doctored documents to make them look as if they had been accessed by a Russian-speaking actor prior to releasing them to the public.

When the Forensicator first read the published VIPS report, he noticed issues like those above and his reaction was that their report was their own interpretation of the Forensicator’s findings; it seemed to be based on assumptions that should be more clearly stated.   Still, the Forensicator  recognized that it was their prerogative to make their own interpretation.

Transfer Speeds over the Internet

The Forensicator also saw how strongly the VIPS’s claims depended on the transfer speed estimate made in the metadata analysis.  Forensicator did not feel this was the VIPS’s strongest argument.  However, as time went on, this transfer speed claim become the focus for critics of the VIPS report — by association the Forensicator’s analysis also drew fire.

At that point, Forensicator could have simply removed the claim that referred to Internet transfer speeds from the end of conclusion 7.  It would have little impact on the report’s findings.  Only the first part of that conclusion was used to support those findings: “A transfer rate of 23 MB/s is estimated for this initial file collection operation.  This transfer rate can be achieved when files are copied over a LAN or when copying directly from the host computer’s hard drive.

The Internet speed claim may have helped support conclusion 7 but became unimportant when test results from The Need for Speed showed transfer rates were in line with local copy operations.  Tests showed that transfer rates were in the range of 24 to 28 MB/s for local copies (LAN and disk as source, respectively), with a USB-2 flash drive as the target.  This close agreement with the 23 MB/s overall transfer speed estimated in the metadata analysis added support for the claim that the files were copied locally; the transfer rate suggested that the copy destination might be a USB-2 storage device.

That said, this finding proved more problematic, “Due to the estimated speed of transfer (23 MB/s) calculated in this study, it is unlikely that this initial data transfer could have been done remotely over the Internet.”  It drew a strong reaction because many computer savvy users and technologists had direct experience with Internet connections that they were certain could sustain those speeds.

The statement as it stands, lacks context, because when written the Forensicator viewed Guccifer 2 as a remote hacker who hailed from Eastern Europe or Russia and used a VPN service or some similar technique to mask his IP.  In that context, Forensicator concluded that it would be unlikely for a 23 MB/s transfer rate to be sustained remotely.  Unfortunately, that critical assumption was not stated in the analysis.

Even if the 23 MB/s transfer rate can be achieved over the Internet, there are other requirements that must be met by a proposed alternative scenario.  A detailed analysis can be found in Alternative Scenarios.