Corrections and Clarifications

The Forensicator fully supports the work of the VIPS (Veteran Intelligence Professionals for Sanity) and agrees with their overall recommendation that a more thorough investigation of Russian hacking claims is needed.  Ideally, this investigation would share more evidence and more convincing evidence than has been provided in previously disclosed US Intelligence reports.

Some reports in the media have been critical of aspects of the VIPS report, and then by implication have transferred their criticisms to the Guccifer 2.0 NGP/VAN Metadata Analysis. In the process, those reporters have demonstrated that they likely did not carefully read the Forensicator’s analysis or were not careful in making attributions.

Continue reading “Corrections and Clarifications”


Alternative Scenarios

When Forensicator began his review of the metadata in the NGP VAN 7zip file disclosed by Guccifer 2, he had a simple impression of how Guccifer 2 operated, based upon Guccifer 2’s own statements and observations made by a  security firm called ThreatConnect.  Forensicator viewed Guccifer 2 as a lone wolf hacker who lived somewhere in Eastern Europe or Russia; he used a Russian-aligned VPN service to mask his IP address.

Forensicator’s assumptions regarding Guccifer were not clearly stated, and this led to some confusion and controversy regarding claims in the report related to achievable transfer speeds over the Internet.  Further, as the review process proceeded, alternative theories were suggested; they placed additional pressure on the Internet transfer speed claims and raised some additional interesting questions.

This article describes both the evolution of Forensicator’s analysis and two main alternative scenario themes that have emerged during the review process.

Continue reading “Alternative Scenarios”

Peak (38 MB/s) Transfer Speed

Peak (38 MB/s) Transfer Speed

In response to discussions regarding the max transfer speed of 22.6 MB/s cited in  Guccifer 2.0 NGP/VAN Metadata Analysis, the Forensicator went back and took another look at the metadata and found strong evidence of peak transfer rates of approximately 38 MB/s.   Although this higher peak transfer speed might not completely refute the counter-claims made by various critics (regarding transfer speeds that can be achieved over the Internet), it certainly raises the bar. Continue reading “Peak (38 MB/s) Transfer Speed”

If you find yourself in a hole, stop digging

If you find yourself in a hole, stop digging

The Guccifer 2.0 NGP/VAN Metadata Analysis report was released over one month ago.  During that time period, there has been extensive reader feedback via posted comments and media coverage from various venues.  Responding to the reader feedback was time intensive and a more thorough response was needed.  To address those issues, The Forensicator has published three blog posts:

Continue reading “If you find yourself in a hole, stop digging”

The Need for Speed

The Need for Speed

Some reviewers have questioned the following conclusion in the Guccifer 2.0 NGP/VAN Metadata Analysis study.

Conclusion 7. A transfer rate of 23 MB/s is estimated for this initial file collection operation.  This transfer rate can be achieved when files are copied over a LAN, but this rate is too fast to support the hypothesis that the DNC data was initially copied over the Internet (esp. to Romania).

Below, performance data is tabulated that demonstrate that transfer rates of 23 MB/s (Mega Bytes per second) are not just highly unlikely, but effectively impossible to accomplish when communicating over the Internet at any significant distance.  Further, local copy speeds are measured, demonstrating that 23 MB/s is a typical transfer rate when writing a USB-2 flash device (thumb drive).

Continue reading “The Need for Speed”

RAR Times: Local or UTC?

Some reviewers have questioned the claim stated in the Guccifer 2.0 NGP/VAN Metadata Analysis report that the .rar files analyzed in that study recorded file times in local (relative) time.  In short, newer implementations of WinRAR use the “version 5” format and in that format times are recorded as UTC times.  However, the .rar files analyzed in this study use the older version 4 format which records times in “local” (relative) format.

Continue reading “RAR Times: Local or UTC?”