The whole narrative that Russia hacked the election is slowly coming undone, and a new report casts further doubt on the claims that it was the Russians who hacked the DNC’s email server then published them via Guccifer 2.0.
An IT specialist who goes by the name of The Forensicator analyzed the contents of the hacked data and determined that it would be impossible for someone to have obtained it through a remote Internet connection. Further, the files appear to have been copied locally just five days before DNC staffer Seth Rich was mysteriously gunned down outside of his Washington, D.C. apartment last year, which suggests he did, in fact, have a role in getting the damaging information out to the public.
The Forensicator laid out their argument in ten bullet points, summarizing the complex methods used to determine that the data wasn’t actually hacked, but instead copied directly from the server.
Based on the analysis that is detailed below, the following key findings are presented:
On 7/5/2016 at approximately 6:45 PM Eastern time, someone copied the data that eventually appears on the “NGP VAN” 7zip file (the subject of this analysis). This 7zip file was published by a persona named Guccifer 2, two months later on September 13, 2016.
Due to the estimated speed of transfer (23 MB/s) calculated in this study, it is unlikely that this initial data transfer could have been done remotely over the Internet.
The initial copying activity was likely done from a computer system that had direct access to the data. By “direct access” we mean that the individual who was collecting the data either had physical access to the computer where the data was stored, or the data was copied over a local high speed network (LAN).
They may have copied a much larger collection of data than the data present in the NGP VAN 7zip. This larger collection of data may have been as large as 19 GB. In that scenario the NGP VAN 7zip file represents only 1/10th of the total amount of material taken.
This initial copying activity was done on a system where Eastern Daylight Time (EDT) settings were in force. Most likely, the computer used to initially copy the data was located somewhere on the East Coast.
The data was likely initially copied to a computer running Linux, because the file last modified times all reflect the apparent time of the copy and this is a characteristic of the the Linux ‘cp’ command (using default options).
A Linux OS may have been booted from a USB flash drive and the data may have been copied back to the same flash drive, which will likely have been formatted with the Linux (ext4) file system.
On September 1, 2016, two months after copying the initial large collection of (alleged) DNC related content (the so-called NGP/VAN data), a subset was transferred to working directories on a system running Windows. The .rar files included in the final 7zip file were built from those working directories.
The computer system where the working directories were built had Eastern Daylight Time (EDT) settings in force. Most likely, this system was located somewhere on the East Coast.
The .rar files and plain files that eventually end up in the “NGP VAN” 7zip file disclosed by Guccifer 2.0 on 9/13/2016 were likely first copied to a USB flash drive, which served as the source data for the final 7zip file. There is no information to determine when or where the final 7zip file was built.
Basically, The Forensicator is saying they were able to determine that someone used a flash drive plugged directly into a computer on the same network as the email server, if not the email server itself. The transfer speed is the most important indicator of this, since it would be all but impossible for someone to be able to copy the files so fast from a remote location, such as Romania, where Guccifer 2.0 claims to reside.
From the Disobedient Media [emphasis added]:
Importantly, The Forensicator concluded that the chance that the files had been accessed and downloaded remotely over the internet were too small to give this idea any serious consideration. He explained that the calculated transfer speeds for the initial copy were much faster than can be supported by an internet connection.
This is extremely significant and completely discredits allegations of Russian hacking made by both Guccifer 2.0 and Crowdstrike.
This conclusion is further supported by analysis of the overall transfer rate of 23 MB/s. The Forensicator described this as “possible when copying over a LAN, but too fast to support the hypothetical scenario that the alleged DNC data was initially copied over the Internet (esp. to Romania).” Guccifer 2.0 had claimed to originate in Romania. So in other words, this rate indicates that the data was downloaded locally, possibly using the local DNC network. The importance of this finding in regards to destroying the Russian hacking narrative cannot be understated.
If the data is correct, then the files could not have been copied over a remote connection and so therefore cannot have been “hacked by Russia.”
The use of a USB drive would also strongly suggest that the person copying the files had physical access to a computer most likely connected to the local DNC network. Indications that the individual used a USB drive to access the information over an internal connection, with time stamps placing the creation of the copies in the East Coast Time Zone, suggest that the individual responsible for initially copying what was eventually published by the Guccifer 2.0 persona under the title “NGP-VAN” was located in the Eastern United States, not Russia.
It’s been widely reported that “the Russians” were responsible for “hacking” the DNC’s server, although the DNC refused to have federal law enforcement examine the unit to determine if that was the case or not, which in and of itself casts suspicion on their claims – one would think that the “victim” of such an attack would want the best of the best looking into it. Now this report casts further suspicions on the Democrats’ dubious claims of Russian hacking, and brings the focus back onto Seth Rich, who many believe was the source of the leaked information.
[H/T: Gateway Pundit]