+ Reply to Thread
Results 1 to 16 of 16

Thread: The DNC "Hack"... Not So!

  1. Link to Post #1
    France Administrator Hervé's Avatar
    Join Date
    7th March 2011
    Location
    Brittany
    Posts
    16,505
    Thanks
    58,555
    Thanked 92,835 times in 15,209 posts

    Default The DNC "Hack"... Not So!

    Mysterious IT specialist publishes new report showing Guccifer 2.0-DNC files were copied locally—Not Hacked

    Joshua Caplan Gateway Pundit
    Sun, 09 Jul 2017 22:01 UTC


    © David McNew / Reuters

    A mysterious IT specialist, who goes by the name The Forensicator, published a detailed report that appears to disprove the theory that the DNC was hacked by Russia.

    The documents were copied on July 5th, five days before Seth Rich was murdered.

    The Forensicator summarized the complex report into 10 bullet points.

    The report as laid out by The Forensicator:
    "Based on the analysis that is detailed below, the following key findings are presented:
    • On 7/5/2016 at approximately 6:45 PM Eastern time, someone copied the data that eventually appears on the "NGP VAN" 7zip file (the subject of this analysis). This 7zip file was published by a persona named Guccifer 2, two months later on September 13, 2016.
    • Due to the estimated speed of transfer (23 MB/s) calculated in this study, it is unlikely that this initial data transfer could have been done remotely over the Internet.
    • The initial copying activity was likely done from a computer system that had direct access to the data. By "direct access" we mean that the individual who was collecting the data either had physical access to the computer where the data was stored, or the data was copied over a local high speed network (LAN).
    • They may have copied a much larger collection of data than the data present in the NGP VAN 7zip. This larger collection of data may have been as large as 19 GB. In that scenario the NGP VAN 7zip file represents only 1/10th of the total amount of material taken.
    • This initial copying activity was done on a system where Eastern Daylight Time (EDT) settings were in force. Most likely, the computer used to initially copy the data was located somewhere on the East Coast.
    • The data was likely initially copied to a computer running Linux, because the file last modified times all reflect the apparent time of the copy and this is a characteristic of the the Linux 'cp' command (using default options).
    • A Linux OS may have been booted from a USB flash drive and the data may have been copied back to the same flash drive, which will likely have been formatted with the Linux (ext4) file system.
    • On September 1, 2016, two months after copying the initial large collection of (alleged) DNC related content (the so-called NGP/VAN data), a subset was transferred to working directories on a system running Windows. The .rar files included in the final 7zip file were built from those working directories.
    • The computer system where the working directories were built had Eastern Daylight Time (EDT) settings in force. Most likely, this system was located somewhere on the East Coast.
    • The .rar files and plain files that eventually end up in the "NGP VAN" 7zip file disclosed by Guccifer 2.0 on 9/13/2016 were likely first copied to a USB flash drive, which served as the source data for the final 7zip file. There is no information to determine when or where the final 7zip file was built.
    The most important aspect about the report is the "estimated speed of transfer (23 MB/s)" at which the documents were copied. It's inconceivable DNC documents could have been copied at such speed from a remote location.

    Disobedient Media reports:
    Importantly, The Forensicator concluded that the chance that the files had been accessed and downloaded remotely over the internet were too small to give this idea any serious consideration. He explained that the calculated transfer speeds for the initial copy were much faster than can be supported by an internet connection.

    This is extremely significant and completely discredits allegations of Russian hacking made by both Guccifer 2.0 and Crowdstrike.

    This conclusion is further supported by analysis of the overall transfer rate of 23 MB/s. The Forensicator described this as "possible when copying over a LAN, but too fast to support the hypothetical scenario that the alleged DNC data was initially copied over the Internet (esp. to Romania)." Guccifer 2.0 had claimed to originate in Romania. So in other words, this rate indicates that the data was downloaded locally, possibly using the local DNC network. The importance of this finding in regards to destroying the Russian hacking narrative cannot be understated.

    If the data is correct, then the files could not have been copied over a remote connection and so therefore cannot have been "hacked by Russia."

    The use of a USB drive would also strongly suggest that the person copying the files had physical access to a computer most likely connected to the local DNC network. Indications that the individual used a USB drive to access the information over an internal connection, with time stamps placing the creation of the copies in the East Coast Time Zone, suggest that the individual responsible for initially copying what was eventually published by the Guccifer 2.0 persona under the title "NGP-VAN" was located in the Eastern United States, not Russia.
    During the presidential campaign, POLITICO reported what now appears to be a disproven story about Guccifer 2.0 hacking and releasing DNC documents:
    The hacker persona Guccifer 2.0 has released a new trove of documents that allegedly reveal more information about the Democratic National Committee's finances and personal information on Democratic donors, as well as details about the DNC's network infrastructure.

    The cache also includes purported memos on tech initiatives from Democratic vice presidential nominee Tim Kaine's time as governor of Virginia, and some years-old missives on redistricting efforts and DNC donor outreach strategy.

    DNC interim chair Donna Brazile immediately tied the leak to GOP presidential nominee Donald Trump.

    "There's one person who stands to benefit from these criminal acts, and that's Donald Trump," she said in a statement Tuesday night, adding that Trump has "embraced" Russian President Vladimir Putin and "publicly encouraged further Russian espionage to help his campaign."
    POLITICO then suggests Guccifer 2.0 hacked into the DNC:
    If authentic, the documents would represent the latest strike from the mysterious hacker persona that has already roiled the 2016 election with leaks of documents stolen from the DNC and the House Democrat's campaign arm, the DCCC. Earlier document dumps include the internal communications that forced the resignation of former DNC Chairwoman Debbie Wasserman Schultz this summer and fueled allegations of party bias against Bernie Sanders.
    The bombshell report brings murdered DNC staffer Seth Rich back into focus, who many believe may have been the WikiLeaks source for the DNC emails.

    WND reports
    Private investigators have claimed there is evidence Rich was the source WikiLeaks used to obtain thousands of DNC emails released on the eve of the party's presidential nominating convention last July. The emails, indicating the party was manipulating the primary race in favor of Hillary Clinton, led to the resignation of former DNC Chairwoman Rep. Debbie Wasserman Schultz. On July 22, just 12 days after Rich's death and days before the Democratic Party Convention in Philadelphia, WikiLeaks released 20,000 DNC emails.

    Also as WND has reported, former detective Rod Wheeler was initially hired by Rich's parents through a third party to find their son's killer. Wheeler alleges former interim DNC chairwoman Donna Brazille contacted the Metropolitan Police Department demanding to know why he was "snooping" after Wheeler began investigating Rich's murder. As a result, he said, law-enforcement authorities are now refusing to provide him with more details about the case.
    The Gateway Pundit will update the story at hand as more information comes to light. As we have reported copious times, the "Russia Hacking" story was never on solid footing and the report above appears to demonstrate just that.


    Related:

    Seth Rich investigation: Could it expose reality behind 'Russia elections hacking?'

    The Russian 'Hacking Scandal': A CNN and U.S. Deep State 'Nothing Burger'
    "La réalité est un rêve que l'on fait atterrir" San Antonio AKA F. Dard

    Troll-hood motto: Never, ever, however, whatsoever, to anyone, a point concede.

  2. The Following 29 Users Say Thank You to Hervé For This Post:

    A Voice from the Mountains (12th July 2017), avid (12th July 2017), Baby Steps (10th July 2017), Bill Ryan (11th July 2017), Blacklight43 (10th July 2017), Cidersomerset (10th July 2017), Daughter of Time (10th July 2017), enigma3 (10th July 2017), Foxie Loxie (11th July 2017), happyuk (10th July 2017), Innocent Warrior (11th July 2017), Ivanhoe (11th July 2017), justntime2learn (11th July 2017), Magnus (11th July 2017), Mike (10th July 2017), mpennery (10th July 2017), Nasu (10th July 2017), norman (10th July 2017), PurpleLama (10th July 2017), Sammy (11th July 2017), sandy (11th July 2017), seko (11th July 2017), Snoweagle (11th July 2017), sunflower (11th July 2017), TargeT (11th July 2017), toppy (10th July 2017), uzn (10th July 2017), WhiteLove (10th July 2017), wnlight (11th July 2017)

  3. Link to Post #2
    Canada Avalon Member Fellow Aspirant's Avatar
    Join Date
    6th July 2011
    Location
    Kingston, Ontario
    Age
    69
    Posts
    1,028
    Thanks
    5,962
    Thanked 5,176 times in 927 posts

    Default Re: The DNC "Hack"... Not So!

    Re: "A mysterious IT specialist, who goes by the name The Forensicator, published a detailed report that appears to disprove the theory that the DNC was hacked by Russia."

    Ah, the old Forensicator strikes again! Love his stuff. He's always got the most truthful and inside information of anyone in the whole entire universe, ever!

    C'mon, seriously, who is this guy? Why should he be trusted about anything? Would I ever take the world of a mysterious stranger who claims to know the truth, the whole truth, and nothing but the truth?

    NYET, comrade.

    B.
    A human being is a part of the whole, called by us "Universe," a part limited in time and space. He experiences himself, his thoughts and feelings as something separate from the rest—a kind of optical delusion of his consciousness.

    Albert E.

  4. The Following 2 Users Say Thank You to Fellow Aspirant For This Post:

    Foxie Loxie (11th July 2017), Mike (11th July 2017)

  5. Link to Post #3
    France Administrator Hervé's Avatar
    Join Date
    7th March 2011
    Location
    Brittany
    Posts
    16,505
    Thanks
    58,555
    Thanked 92,835 times in 15,209 posts

    Default Re: The DNC "Hack"... Not So!

    Bit-by-bit Investigations and Deliberations




    Home Guccifer 2.0 NGP/VAN Metadata Analysis

    Guccifer 2.0 NGP/VAN Metadata Analysis

    Overview

    This study analyzes the file metadata found in a 7zip archive file, 7dc58-ngp-van.7z, attributed to the Guccifer 2.0 persona. For an in depth analysis of various aspects of the controversy surrounding Guccifer 2.0, refer to Adam Carter’s blog, Guccifer 2.0: Game Over.

    Based on the analysis that is detailed below, the following key findings are presented:

    [...]

    Full article: https://theforensicator.wordpress.co...data-analysis/

    ===========================================

    So... Da! Camarade.
    "La réalité est un rêve que l'on fait atterrir" San Antonio AKA F. Dard

    Troll-hood motto: Never, ever, however, whatsoever, to anyone, a point concede.

  6. The Following 5 Users Say Thank You to Hervé For This Post:

    avid (12th July 2017), Bill Ryan (11th July 2017), Foxie Loxie (11th July 2017), Snoweagle (11th July 2017), wnlight (11th July 2017)

  7. Link to Post #4
    United States Avalon Retired Member
    Join Date
    4th January 2011
    Location
    North Texas
    Age
    71
    Posts
    27,723
    Thanks
    28,846
    Thanked 129,127 times in 20,633 posts

    Default Re: The DNC "Hack"... Not So!

    Quote Posted by Hervé (here)
    Importantly, The Forensicator concluded that the chance that the files had been accessed and downloaded remotely over the internet were too small to give this idea any serious consideration. He explained that the calculated transfer speeds for the initial copy were much faster than can be supported by an internet connection.
    Unless, perhaps, the file modification times were not reflecting the initial copy, but rather some subsequent copy.

    If I were to, say, copy some files slowly (say 10 or 20 Mbits/sec) over the Internet, onto a local hard drive, and then to copy them again quickly (say the above 23 Mbytes/sec), onto say a local removeable flash drive, letting the file modification time stamp be set afresh on that second copy, then I would see what is reported here, that the file modification times reflect a transfer rate of 23 Mbytes/sec.

  8. The Following 6 Users Say Thank You to Paul For This Post:

    avid (12th July 2017), Bill Ryan (11th July 2017), Fellow Aspirant (12th July 2017), Foxie Loxie (11th July 2017), Snoweagle (11th July 2017), wnlight (11th July 2017)

  9. Link to Post #5
    France Administrator Hervé's Avatar
    Join Date
    7th March 2011
    Location
    Brittany
    Posts
    16,505
    Thanks
    58,555
    Thanked 92,835 times in 15,209 posts

    Default Re: The DNC "Hack"... Not So!

    Quote Posted by Paul (here)
    [..]
    Unless, perhaps, the file modification times were not reflecting the initial copy, but rather some subsequent copy.
    [...]
    Wouldn't there be traces of such in the metadata as well?
    "La réalité est un rêve que l'on fait atterrir" San Antonio AKA F. Dard

    Troll-hood motto: Never, ever, however, whatsoever, to anyone, a point concede.

  10. The Following 2 Users Say Thank You to Hervé For This Post:

    Bill Ryan (11th July 2017), Foxie Loxie (11th July 2017)

  11. Link to Post #6
    United States Avalon Retired Member
    Join Date
    4th January 2011
    Location
    North Texas
    Age
    71
    Posts
    27,723
    Thanks
    28,846
    Thanked 129,127 times in 20,633 posts

    Default Re: The DNC "Hack"... Not So!

    Quote Posted by Hervé (here)
    Wouldn't there be traces of such in the metadata as well?
    Probably not ... just copying files around typically only updates a few attributes on the files, such as time of last modification, which for naive, default, copies on Windows is the time some user application program last modified the file, and for naive, default copies on Linux is the time the file was last copied.

    There is more metadata internally within fancier format files, such as word processor documents, spreadsheets, image files and audio/video media files ... but that file internal data is uneffected by simply copying files about.

  12. The Following 7 Users Say Thank You to Paul For This Post:

    Bill Ryan (11th July 2017), Fellow Aspirant (12th July 2017), Foxie Loxie (11th July 2017), Hervé (11th July 2017), Mike (11th July 2017), Snoweagle (11th July 2017), wnlight (11th July 2017)

  13. Link to Post #7
    Japan Avalon Member bbow73's Avatar
    Join Date
    26th May 2017
    Location
    DC metro area
    Posts
    120
    Thanks
    163
    Thanked 472 times in 108 posts

    Default Re: The DNC "Hack"... Not So!

    I saw on Reddit a person that claimed to be a co-worker of Seth Rich, she said that he asked questions about why the Hillary2016 site advertised different primary voting locations than the .gov sites were advertising. Turns out the .gov locations were using electronic voting machines manufactured and programed by a company (Dominion) associated with the Clinton Foundation, machines that were accused of being programed to alter voting results (Clifton Eugene Curtis ).

    This caused Seth Rich to dig deeper but unfortunately he was already to vocal in the questions he was asking

    I'm in the DC area, I know the extremely quiet and safe and white-upperclass neighborhood where he was killed and I can't believe it didn't get more press just on that alone.
    No one is surprised or cares when a poor black kid is killed in Anacostia.

  14. The Following 3 Users Say Thank You to bbow73 For This Post:

    Bill Ryan (11th July 2017), Mike (11th July 2017), Sammy (11th July 2017)

  15. Link to Post #8
    Virgin Islands Avalon Member TargeT's Avatar
    Join Date
    30th June 2011
    Location
    St. Croix
    Age
    39
    Posts
    7,515
    Thanks
    21,385
    Thanked 39,683 times in 7,042 posts

    Default Re: The DNC "Hack"... Not So!

    Quote Posted by Fellow Aspirant (here)
    Re: "A mysterious IT specialist, who goes by the name The Forensicator, published a detailed report that appears to disprove the theory that the DNC was hacked by Russia."

    Ah, the old Forensicator strikes again! Love his stuff. He's always got the most truthful and inside information of anyone in the whole entire universe, ever!

    C'mon, seriously, who is this guy? Why should he be trusted about anything? Would I ever take the world of a mysterious stranger who claims to know the truth, the whole truth, and nothing but the truth?

    NYET, comrade.

    B.
    FORENSICator

    FORENSIC invistigATOR

    Obviously this guy does this stuff often, this looks very similar to one of my incident response reports, we look at every possible piece of data, and the context in which it was collected to correlate ideas such as the OP article.. this is ROCK SOLID evidence in court (as long as proper evidence handling procedures have been followed) and an entrepreneurial person can make a LOT of money doing this for legal reasons (assisting with corporate espionage cases, theft etc...).


    I don't know who Forensicator is, but the points of data he is covering speak for them selves; when viewed from a perspective of computer forensics.

    Quote Posted by Paul (here)
    Quote Posted by Hervé (here)
    Importantly, The Forensicator concluded that the chance that the files had been accessed and downloaded remotely over the internet were too small to give this idea any serious consideration. He explained that the calculated transfer speeds for the initial copy were much faster than can be supported by an internet connection.
    Unless, perhaps, the file modification times were not reflecting the initial copy, but rather some subsequent copy.

    If I were to, say, copy some files slowly (say 10 or 20 Mbits/sec) over the Internet, onto a local hard drive, and then to copy them again quickly (say the above 23 Mbytes/sec), onto say a local removeable flash drive, letting the file modification time stamp be set afresh on that second copy, then I would see what is reported here, that the file modification times reflect a transfer rate of 23 Mbytes/sec.
    If they are doing it correctly they are comparing times based on the original system (the "compromised" system).

    So Pauls explanation is still somewhat valid, but actually it works in the opposite direction (IE: the files would have to have been copied FASTER, then copied again).

    Quote Posted by Paul (here)
    Quote Posted by Hervé (here)
    Wouldn't there be traces of such in the metadata as well?
    Probably not ... just copying files around typically only updates a few attributes on the files, such as time of last modification, which for naive, default, copies on Windows is the time some user application program last modified the file, and for naive, default copies on Linux is the time the file was last copied.

    There is more metadata internally within fancier format files, such as word processor documents, spreadsheets, image files and audio/video media files ... but that file internal data is uneffected by simply copying files about.
    There is almost no trace that a file has been copied..

    The important part is the corroboration between times, and context... that's why it's so important that the evidence chain is handled correctly.

    The compromised system is "frozen in time" then worked on in ways that it would be impossible to change the original (usually a bit by bit copy of hte system is made, then that copy is worked with while the original is preserved).

    This is a very very well established methodology and the court systems are pretty familiar with it and count it as very solid evidence when all controls are properly in place.
    Last edited by TargeT; 11th July 2017 at 18:13.
    Hard times create strong men, Strong men create good times, Good times create weak men, Weak men create hard times.
    Where are you?

  16. The Following 7 Users Say Thank You to TargeT For This Post:

    bbow73 (11th July 2017), Bill Ryan (11th July 2017), Fellow Aspirant (12th July 2017), Hervé (11th July 2017), Mike (11th July 2017), Sammy (11th July 2017), Snoweagle (11th July 2017)

  17. Link to Post #9
    United States Avalon Retired Member
    Join Date
    4th January 2011
    Location
    North Texas
    Age
    71
    Posts
    27,723
    Thanks
    28,846
    Thanked 129,127 times in 20,633 posts

    Default Re: The DNC "Hack"... Not So!

    Quote Posted by TargeT (here)
    If they are doing it correctly they are comparing times based on the original system (the "compromised" system).

    So Pauls explanation is still somewhat valid, but actually it works in the opposite direction (IE: the files would have to have been copied FASTER, then copied again).
    I must be missing something in your thought process, TargeT.

    I would not think that any data or metadata on the original, compromised system would provide much useful evidence as to the rate at which hacker/cracker/leaker/... copied the data off.

    The one file attribute that might provide such evidence would be the file access time, which (depending on how the file system is configured) might be updated (aka "touched") every time the file is read. If, and only if one knew that one had captured/frozen the compromised system right after the hack/copy in question, and that the hack/copy was the last thing done to those files before it became frozen evidence, would one be able to calculate the rate of the copying off the drive, based on the various file access times and file sizes.

    However I am not aware of any suggestion that the hacked/compromised drive was frozen as evidence at the time of the hack/copy ... only much later.

    So that leaves the file modification times, which would not have been touched on the compromised drive during the hack/copy, but would (likely) have been touched (updated to the current system time) on whatever filesystem received the copied out data. Such touching of a copied (the received target of the copy) file's modification time to the time that the copy was completed is the typical default on Linux file systems.

    If, as the Forensicator seems to be telling us, there are several file modification times that are nearly the same, such that for files of those sizes, to be copied serially onto that receiving drive, the copy rate would have been too high for typical remote Internet access, and more like typical copy rates for flash drives or hard drives, then that tells me:
    1. Either someone was playing games with those file system modification times (easy to do for someone with the right skills and a weird sense of humor, but unlikely in reality), or
    2. those files were copied onto that receiving drive rapidly (at typical disk speeds, not at typical Internet speeds. or
    3. earlier in the copying history of those files, they were copied at typical, fast, disk speeds, and then any subsequent copies were careful to preserve those closely spaced file modification times.
    But it doesn't tell me (unless there is other evidence that applies here that I haven't noticed yet) that the receiving drive that the Forensicator was analyzing was the original receiving drive that got the data directly from the hacked/compromised system (via either a slow Internet or fast local copy, by his reasonable speculation.)

    We could, for all I know (which is not much) be dealing with several generations of copies, in which the "fast copy" (as distinguished by several file modification times being close in time) was one of the intermediate generations, after which subsequent copies were done in a way that preserved those close file modification times, and before which any number of fast and slow copies, preserving or not preserving file modification times, could have been done.
    Last edited by Paul; 11th July 2017 at 19:40.

  18. The Following 4 Users Say Thank You to Paul For This Post:

    Bill Ryan (11th July 2017), Fellow Aspirant (12th July 2017), Sammy (11th July 2017), TargeT (11th July 2017)

  19. Link to Post #10
    Virgin Islands Avalon Member TargeT's Avatar
    Join Date
    30th June 2011
    Location
    St. Croix
    Age
    39
    Posts
    7,515
    Thanks
    21,385
    Thanked 39,683 times in 7,042 posts

    Default Re: The DNC "Hack"... Not So!

    Quote Posted by Paul (here)
    Quote Posted by TargeT (here)
    If they are doing it correctly they are comparing times based on the original system (the "compromised" system).

    So Pauls explanation is still somewhat valid, but actually it works in the opposite direction (IE: the files would have to have been copied FASTER, then copied again).
    I must be missing something in your thought process, TargeT.

    I would not think that any data or metadata on the original, compromised system would provide much useful evidence as to the rate at which hacker/cracker/leaker/... copied the data off.
    its the comparison of the two that is significant. not just one or the other.. correlation and corroboration are a big part of it.

    Quote Posted by Paul (here)
    The one file attribute that might provide such evidence would be the file access time, which (depending on how the file system is configured) might be updated (aka "touched") every time the file is read.
    That's generally what's used

    Quote Posted by Paul (here)
    If, and only if one knew that one had captured/frozen the compromised system right after the hack/copy in question, and that the hack/copy was the last thing done to those files before it became frozen evidence, would one be able to calculate the rate of the copying off the drive, based on the various file access times and file sizes.
    This can be reasonable ascertained via logs, and is also why it's so important to report hacking early on.

    Quote Posted by Paul (here)
    However I am not aware of any suggestion that the hacked/compromised drive was frozen as evidence at the time of the hack/copy ... only much later.
    Much later still works, as long as the files haven't been accessed.

    The point is to freeze the system as soon as compromise is discovered and start the forensic investigation.

    Quote Posted by Paul (here)
    If, as the Forensicator seems to be telling us, there are several file modification times that are nearly the same, such that for files of those sizes, to be copied serially onto that receiving drive, the copy rate would have been too high for typical remote Internet access, and more like typical copy rates for flash drives or hard drives, then that tells me:
    1. Either someone was playing games with those file system modification times (easy to do for someone with the right skills and a weird sense of humor, but unlikely in reality), or
    2. those files were copied onto that receiving drive rapidly (at typical disk speeds, not at typical Internet speeds. or
    3. earlier in the copying history of those files, they were copied at typical, fast, disk speeds, and then any subsequent copies were careful to preserve those closely spaced file modification times.
    But it doesn't tell me (unless there is other evidence that applies here that I haven't noticed yet) that the receiving drive that the Forensicator was analyzing was the original receiving drive that got the data directly from the hacked/compromised system (via either a slow Internet or fast local copy, by his reasonable speculation.)
    I don't think you're viewing this report from the right angle.

    I haven't read the detailed report nor seen any of the data myself, we can speculate a lot here.. I'm just saying based on the OP I'm seeing the correct language and data points for someone that knows what he's doing. Until I verify it for myself that's all I have to go on.

    I would imagine he is doing a meta analysis not a direct analysis (IE: he's going over data that was put forth by who ever "investigated" this, then leaked the investigation as it demonstrated russian involvement.. THAT evidence has been used to show it couldn't be russia because the transfer times were too rapid).

    Basically he's doing exactly what I did with Corey's linkedIn...... That's all I'm willing to firmly say about this with out seeing more.

    Meta analysis is very powerful.. I have ALL THE TIME IN THE WORLD to catch you in a lie with meta analysis.
    Hard times create strong men, Strong men create good times, Good times create weak men, Weak men create hard times.
    Where are you?

  20. The Following 2 Users Say Thank You to TargeT For This Post:

    norman (11th July 2017), Sammy (11th July 2017)

  21. Link to Post #11
    United States Avalon Retired Member
    Join Date
    4th January 2011
    Location
    North Texas
    Age
    71
    Posts
    27,723
    Thanks
    28,846
    Thanked 129,127 times in 20,633 posts

    Default Re: The DNC "Hack"... Not So!

    Quote Posted by TargeT (here)
    Quote Posted by Paul (here)
    The one file attribute that might provide such evidence would be the file access time, which (depending on how the file system is configured) might be updated (aka "touched") every time the file is read.
    That's generally what's used
    Wouldn't that depend on whether one had the source disk (use the access times) or the target disk (use the modification times)?
    Quote Posted by TargeT (here)
    Quote Posted by Paul (here)
    If, and only if one knew that one had captured/frozen the compromised system right after the hack/copy in question, and that the hack/copy was the last thing done to those files before it became frozen evidence, would one be able to calculate the rate of the copying off the drive, based on the various file access times and file sizes.
    This can be reasonable ascertained via logs, and is also why it's so important to report hacking early on.

    Quote Posted by Paul (here)
    However I am not aware of any suggestion that the hacked/compromised drive was frozen as evidence at the time of the hack/copy ... only much later.
    Much later still works, as long as the files haven't been accessed.

    The point is to freeze the system as soon as compromise is discovered and start the forensic investigation.
    Logs will tell you some accesses, if the program doing the access happens to log relevant activity. They don't tell you most, much less all, accesses, except under the penalty of a serious performance impact.

    Since almost certainly no one was logging all file system activity on those systems, your criteria "so long as the files haven't been accessed" is practically impossible to meet, with evidentiary certainty in this case.

    In this case, in particular, I presume that someone, associated with the DNC, and/or with the Awan brothers (such as George Webb is reporting on) was backing up that data regularly. So unless I could prove otherwise, I would not be surprised to learn that the file access times reflected the time and transfer rates of the last backup, which would probably have been done over a fast data channel. Any such backup done after the hack/leak copy was made would quite likely (depending on the backup algorithm) have updated the file access times to newer times, destroying the usefulness of those file access times to analye the speed of the data channel or disk used to exfiltrate the data (the hack/leak).

    In short, I presume we agree that this compromised system was not frozen as part of forensic investigation the instant that the hack/leak copy was made, whether to a local removable drive or over the Internet.

  22. The Following 2 Users Say Thank You to Paul For This Post:

    Sammy (11th July 2017), TargeT (12th July 2017)

  23. Link to Post #12
    United States Avalon Retired Member
    Join Date
    4th January 2011
    Location
    North Texas
    Age
    71
    Posts
    27,723
    Thanks
    28,846
    Thanked 129,127 times in 20,633 posts

    Default Re: The DNC "Hack"... Not So!

    Notice that the article in the opening post of this thread says "This study analyzes the file metadata found in a 7zip archive file, 7dc58-ngp-van.7z, attributed to the Guccifer 2.0 persona. "

    This reads to me as saying The Forensicator was analyzing the "target" or copied data, not the "source" data on the DNC disks. So they would be analyzing modification times, not access times, which brings to bear my above comments that I don't know how many times (generations) this hacked/leaked data was copied, and in which of those copies the file modification times were last touched (updated.)

    My further reading of The Forensicator's report, at https://theforensicator.wordpress.co...data-analysis/, and as posted above, is consistent with this conclusion. They were looking at copies of copies (at least three generations of copies, including the Windows rar archive used to make the 7zip file.) Those last two generations, rar and 7zip, would not have changed the individual file modification times. But I don't know whether one or more generations of copies were made in the process of exfiltrating the data from the DNC computer, to the creation of the Windows rar files, nor do I know which of these potentially multiple generations last updated (touched) the individual file modification times.
    Last edited by Paul; 12th July 2017 at 00:18.

  24. The Following User Says Thank You to Paul For This Post:

    Sammy (11th July 2017)

  25. Link to Post #13
    France Administrator Hervé's Avatar
    Join Date
    7th March 2011
    Location
    Brittany
    Posts
    16,505
    Thanks
    58,555
    Thanked 92,835 times in 15,209 posts

    Default Re: The DNC "Hack"... Not So!

    This may help:

    New analysis suggests Guccifer 2.0 files copied locally, not hacked by Russia

    RT
    Published time: 12 Jul, 2017 00:42
    Get short URL

    Files stolen from the Democratic National Committee (DNC) were likely downloaded to a USB drive by someone with physical access to a computer connected to the DNC network, not hacked remotely by Russia, according to a new analysis.

    In an interview with Motherboard in June 2016, the hacker who claimed to be Guccifer 2.0 said he used a zero-day exploit to breach the DNC server and steal files he later published under the title “NGP-VAN.”

    The leak was quickly attributed to the Russian government. However, a document published Sunday by an individual known as the Forensicator shows how the 7-zip file published by Guccifer 2.0 was transferred at a speed of 23 MB/s, making it “unlikely that this initial data transfer could have been done remotely over the Internet.”
    “The initial copying activity was likely done from a computer system that had direct access to the data,” the report from the Forensicator stated. “By ‘direct access’ we mean that the individual who was collecting the data either had physical access to the computer where the data was stored, or the data was copied over a local high speed network (LAN).”
    For his analysis, the Forensicator looked at the data from the 7-zip file which showed the .rar files were built on September 1, 2016, while the other files were last modified on July 5, 2016. When the .rar files are unpacked using a program called WinRAR, their timestamps were preserved from the date they were transferred.

    The timestamps of those .rar files were relative times, while the times recorded in the 7-zip files are absolute times, recorded in Coordinated Universal Time (UTC). The Forensicator found that if the .rar files were adjusted to Eastern Time, they “fall into the same range as the last modified times for the directories archived in the .rar files.”



    Therefore, the Forensicator concludes that the files were built on a computer system where the Eastern Daylight Savings Time (EDT) timezone setting was in force, meaning that the system was most likely located on the East Coast of the US.

    The Forensicator then generated a list of the files sorted by the date they were last modified and imported the list into an Excel spreadsheet. Analyzing the files by date last modified, he observed that the last modified times were clustered together in a 14-minute time period on July 5, 2016.

    The analysis of the metadata also found a majority of the time it took for the files to be copies, 12 minutes and 48 seconds of the 14 minutes and 15 seconds, was allocated to “time gaps” that appear between several top-level files and directories. The Forensicator concluded that this indicated that the files were chosen from a much larger collection of files.

    Estimating the transfer speed of the files published by Guccifer, the Forensicator concluded that if the 1.98 GB 7-zip archive published by Guccifer was copied at a rate of 22.6 MB/s, and all the time gaps were attributed to additional file copying, the initial file copy would be 10 times larger, or 19.3 GB.
    "La réalité est un rêve que l'on fait atterrir" San Antonio AKA F. Dard

    Troll-hood motto: Never, ever, however, whatsoever, to anyone, a point concede.

  26. The Following 2 Users Say Thank You to Hervé For This Post:

    Sammy (12th July 2017), TargeT (12th July 2017)

  27. Link to Post #14
    United States Avalon Retired Member
    Join Date
    4th January 2011
    Location
    North Texas
    Age
    71
    Posts
    27,723
    Thanks
    28,846
    Thanked 129,127 times in 20,633 posts

    Default Re: The DNC "Hack"... Not So!

    The document, linked above several times, as published Sunday by the Forensicator, makes some more sense to me.

    He's dealing with the file modification times, not access times, and he's found a fair bit of interesting data from the time the (downloaded/hacked/leaked/...) files were first bundled into .rar files, and then those in turn bundled into 7-zip files. Both rar and zip archive formats preserve a record of the modifcation times of the files being bundled into the archive, and the exact details of those timestamps provide clues as to what happened.

    I still don't see any evidence that Forensicator's analysis can show us whether or not the individual flies inside those .rar files are the -direct- download/copy from the hacked/leaked DNC system. We can see from the modification times on those individual files were created rapidly, at a speed of approx 22.6 MBytes/sec, suggesting those individual files were copied over a fast local network or onto a removable hard drive or flash drive, not over a (typically much slower) Internet connection. But for all I (still) know, those individual files may have already had a complicated path, over perhaps fast, perhaps slow, means from when they were first hacked/leaked from the DNC computer, to when they ended up on the drive where the .rar archives were created.

  28. The Following 2 Users Say Thank You to Paul For This Post:

    Hervé (12th July 2017), TargeT (12th July 2017)

  29. Link to Post #15
    Virgin Islands Avalon Member TargeT's Avatar
    Join Date
    30th June 2011
    Location
    St. Croix
    Age
    39
    Posts
    7,515
    Thanks
    21,385
    Thanked 39,683 times in 7,042 posts

    Default Re: The DNC "Hack"... Not So!

    Quote Posted by Paul (here)
    I still don't see any evidence that Forensicator's analysis can show us whether or not the individual flies inside those .rar files are the -direct- download/copy from the hacked/leaked DNC system. We can see from the modification times on those individual files were created rapidly, at a speed of approx 22.6 MBytes/sec, suggesting those individual files were copied over a fast local network or onto a removable hard drive or flash drive, not over a (typically much slower) Internet connection. But for all I (still) know, those individual files may have already had a complicated path, over perhaps fast, perhaps slow, means from when they were first hacked/leaked from the DNC computer, to when they ended up on the drive where the .rar archives were created.
    From reading Herve's latest post it appears he's just trying to show that the zip file was created on the east coast, and the DNC files, after copy from the original source (or what ever source), were not transferred over the internet to create the final zip; it all happened on the east coast (as far as the released zip file is concerned) or at least on a computer with east coast time zone settings.

    So this is a lot more basic than I thought at first, I thought they had the compromised system and were working backward from logs etc..

    Still somewhat interesting.
    Hard times create strong men, Strong men create good times, Good times create weak men, Weak men create hard times.
    Where are you?

  30. The Following 2 Users Say Thank You to TargeT For This Post:

    Hervé (12th July 2017), Paul (12th July 2017)

  31. Link to Post #16
    United States Avalon Retired Member
    Join Date
    4th January 2011
    Location
    North Texas
    Age
    71
    Posts
    27,723
    Thanks
    28,846
    Thanked 129,127 times in 20,633 posts

    Default Re: The DNC "Hack"... Not So!

    Quote Posted by TargeT (here)
    From reading Herve's latest post it appears he's just trying to show that the zip file was created on the east coast, and the DNC files, after copy from the original source (or what ever source), were not transferred over the internet to create the final zip; it all happened on the east coast (as far as the released zip file is concerned) or at least on a computer with east coast time zone settings.

    So this is a lot more basic than I thought at first, I thought they had the compromised system and were working backward from logs etc..

    Still somewhat interesting.
    Yup - exactly.

    The click-bait thread title and opening summary description of Forensicator's had (as happens so often) promised a more compelling conclusion than his work actually justified.

    If the title and summaries had been accurate then your instincts would have matched mine ... that they pretty much would have had to pwn the compromised system to determine that much.

  32. The Following 2 Users Say Thank You to Paul For This Post:

    Hervé (12th July 2017), TargeT (12th July 2017)

+ Reply to Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts