New
Research Shows DNC Network Files Were Copied
Locally, Not Hacked
By
Elizabeth Vos
July
10, 2017 "Information
Clearing House"
- New
meta-analysis has emerged from a document published
today by an independent researcher known as The
Forensicator, which suggests that files
eventually published by the Guccifer 2.0 persona
were likely initially downloaded by a person
with physical access to a computer possibly
connected to the internal DNC network. The
individual most likely used a USB drive to copy
the information. The groundbreaking new analysis
irrevocably destroys the Russian hacking
narrative, and calls the actions of Crowdstrike
and the DNC into question.
The
document
supplied to Disobedient Media via Adam Carter
was authored by an individual known as The
Forensicator. The full document referenced here
has been published on their blog.
Their analysis indicates the data was almost
certainly not accessed initially by a remote
hacker, much less one in Russia. If true, this
analysis obliterates the Russian hacking
narrative completely.
The Forensicator specifically discusses the data
that was eventually published by Guccifer 2.0
under the title “NGP-VAN.” This should not be
confused with the separate publication of the
DNC emails by Wikileaks. This article focuses
solely on evidence stemming from the files
published by Guccifer 2.0, which were previously
discussed in depth by Adam
Carter.
Disobedient Media previously
reported that Crowdstrike is the only group that
has directly analyzed the DNC servers. Other
groups including Threat
Connect have
used the information provided by Crowdstrike to
claim that Russians hacked the DNC. However,
their evaluation was based solely on information
ultimately provided by Crowdstrike; this places
the company in the unique position of being the
only direct source of evidence that a hack
occurred.
The group’s President Shawn
Henry is a
retired executive assistant director of the FBI
while their co-founder and
CTO, Dmitri Alperovitch, is a senior fellow at
the Atlantic Council, which as we have reported,
is linked to George Soros. Carter has stated on
his website that “At
present, it looks a LOT like Shawn Henry &
Dmitri Alperovitch (CrowdStrike executives),
working for either the HRC campaign or DNC
leadership were very likely to have been behind
the Guccifer 2.0 operation.” Carter’s website was
described by Wikileaks as
a useful source of primary information
specifically regarding Guccifer 2.0.
Carter recently spoke to Disobedient Media,
explaining that he had been contacted by The
Forensicator, who
had published a document which contained a
detailed analysis of the data published by
Guccifer 2.0 as “NGP-VAN.”
The
document states
that the files that eventually published as
“NGP-VAN” by Guccifer 2.0 were first copied to a
system located in the Eastern Time Zone, with
this conclusion supported by the observation
that “the .7z file times, after adjustment to
East Coast time fall into the range of the file
times in the .rar files.” This constitutes the
first of a number of points of analysis which
suggests that the information eventually
published by the Guccifer 2.0 persona was not
obtained by a Russian hacker.
The Forensicator stated
in their analysis that a USB drive was most
likely used to boot Linux OS onto a computer
that either contained the alleged DNC files or
had direct access to them. They also explained
to us that in this situation one would simply
plug a USB drive with the LinuxOS into a
computer and reboot it; after restarting, the
computer would boot from the USB drive and load
Linux instead of its normal OS. A large amount
of data would then be copied to this same USB
drive.
In this
case, additional files would have been copied en
masse, to be “pruned” heavily at a later time
when the 7zip archive now known as NGP-VAN was
built. The Forensicator wrote that if 1.98 GB of
data had been copied at a rate of 22.6 MB/s and
time gaps t were noticed at the top level of the
NGP-VAN 7zip file were attributed to additional
file copying, then approximately 19.3 GB in
total would have been copied. In this scenario,
the 7zip archive (NGP-VAN) would represent only
about 10% of the total amount of data that was
collected.
The
very small proportion of files eventually
selected for use in the creation of the
“NGP-VAN” files were later published by the
creators of the Guccifer 2.0 persona. This
point is especially significant, as it suggests
the possibility that up to 90% of the
information initially copied was never
published.
The use
of a USB drive would suggest that the person
first accessing the data could not have been a
Russian hacker. In this case, the person who
copied the files must have physically interacted
with a computer that had access to what Guccifer
2.0 called the DNC files. A less likely
explanation for this data pattern where large
time gaps were observed between top level files
and directories
in the 7zip file, can be explained by the use of
‘think time’ to select and copy 1.9 GB of
individual files, copied in small batches with
think time interspersed. In either scenario,
Linux would have been booted from a USB drive,
which fundamentally necessitates physical access
to a computer with the alleged DNC files.
The
Forensicator believed that using the possible
‘think-time’ explanation to explain the
time-gaps was a less likely explanation for the
data pattern available, with a large amount of
data most likely copied instantaneously, later
“pruned” in the production of the Guccifer 2.0’s
publication of the NGP-VAN files.
Both
the most likely explanation and the less likely
scenario provided by The Forensicator’s analysis
virtually exclude the possibility of a Russian
or remote hacker gaining external access to the
files later published as “NGP-VAN.” In both
cases, the physical presence of a person
accessing a containing DNC information would be
required.
Importantly, The Forensicator concluded that
the chance that the files had been accessed
and downloaded remotely over the internet
were too small to give this idea any serious
consideration. He explained that the
calculated transfer speeds for the initial
copy were much faster than can be supported
by an internet connection. This is extremely
significant and completely discredits
allegations of Russian hacking made by both
Guccifer 2.0 and Crowdstrike.
This conclusion is further supported by
analysis of the overall transfer rate of 23
MB/s. The
Forensicator
described this as “possible when copying
over a LAN, but too fast to support the
hypothetical scenario that the alleged DNC
data was initially copied over the Internet
(esp. to Romania).” Guccifer 2.0 had claimed
to originate in Romania. So in other words,
this rate indicates that the data was
downloaded locally, possibly using the
local DNC network. The importance of this
finding in regards to destroying the Russian
hacking narrative cannot be overstated.
If
the data is correct, then the files could
not have been copied over a remote
connection and so therefore cannot have been
“hacked by Russia.”
The
use of a USB drive would also strongly
suggest that the person copying the files
had physical access to a computer most
likely connected to the local DNC network.
Indications that the individual used a USB
drive to access the information over an
internal connection, with time stamps
placing the creation of the copies in the
East Coast Time Zone, suggest that the
individual responsible for initially copying
what was eventually published by the
Guccifer 2.0 persona under the title
“NGP-VAN” was located in the Eastern United
States, not Russia.
The implications of
The Forensicator‘s
analysis in combination with Adam
Carter‘s work,
suggest that at the very least, the Russian
hacking narrative is patently false. Adam Carter
has a strong grasp on the NGP-VAN files and
Guccifer 2.0, with his website on the subject
called a “good source” by Wikileaks via twitter.
Carter told Disobedient Media that in his
opinion the analysis provided by The
Forensicator was accurate, but added that if
changes are made to the work in future, any new
conclusions would require further vetting.
On the
heels of recent retractions by legacy media
outlets like CNN and The New York Times, this
could have serious consequences, if months of
investigation into the matter by authorities are
proven to have been based on gross
misinformation based solely on the false word of
Crowdstrike.
Assange recently lamented widespread ignorance
about the DNC Leak via Twitter, specifically
naming Hillary Clinton, the DNC, the Whitehouse
and mainstream media as having “reason” to
suppress the truth of the matter. As one of the
only individuals who would have been aware of
the source of the DNC Leaks, Assange’s statement
corroborates a scenario where the DNC and
parties described in Adam Carter’s work likely
to have included Crowdstrike, may have
participated in “suppressing knowledge” of the
true origins and evidence surrounding the leak
of the DNC emails by confusing them with the
publication of the Guccifer 2.0 persona.
Despite
Guccifer 2.0’s conflicting reports of having
both been a Russian hacker and having contact
with Seth Rich, the work of The Forensicator
indicates that neither of these scenarios is
likely true. What is suggested is that the files
now known as “NGP-VAN” were copied by someone
with access to a system connected to the DNC
internal network, and that this action had no
bearing on the files submitted to Wikileaks and
were most likely unassociated with Seth Rich,
and definitively not remotely “hacked” from
Russia.
Elizabeth Vos - Writer and Associate Editor at
Disobedient Media.
In accordance
with Title 17 U.S.C. Section 107, this material
is distributed without profit to those who have
expressed a prior interest in receiving the
included information for research and educational
purposes. Information Clearing House has no
affiliation whatsoever with the originator of
this article nor is Information ClearingHouse
endorsed or sponsored by the originator.)
