Distortions & Missing The Point

By Adam Carter --- August 16th, 2017

Rapid Reaction

On Wednesday, 9 August, 2017, Patrick Lawrence wrote an article that featured in The Nation. The following day, Brian Feldman, writing for New York Magazine, wrote quite an aggressive article attacking the character of Lawrence and ignoring various factors in an effort to frame the research Lawrence was referring to unfavorably, creating a straw man argument and ignoring some of the key points relevant to the actual research that was being referenced, this is something that I wrote about a couple of days ago.

Now we see an escalation of this and so, I'm forced, again, to write another article to explain how things are being misrepresented and that third party interpretations are being used as a strawman against Forensicator's analysis.

Now Trending In The MSM: Missing The Point

Critics seem to ignore the fact that skepticism of the premise of Guccifer 2.0 being a real hacker working for FSB/GRU/etc is based on more than just Forensicator's study.

Even in this effort to isolate a conclusion they feel they can most easily undermine, they have shown a tendancy to criticize assertions that are third party interpretations rather than the actual conclusion from Forensicator in true context (most outlets avoided providing a link to readers for reference).

This has been unfortunate because in a conclusion arguing that transfer speeds were consistent with USB transfers Forensicator made a comment in passing (regarding whether this would fit the premise of an overseas hacker acquiring the files).

For context a screenshot of Forensicator's 7th conclusion (from a total of 11 conclusions) is below. Critics have ignored everything in gray and solely focused on the part in red and ignored the qualifier.

This serves to be a viable strawman to attack and allows critics to overlook the far more significant implications of other conclusions in Forensicator's study that reveal that Guccifer 2.0 was, according to the available evidence, archiving files into batches on September 2016 whilst EDT timezone settings were in effect, placed the files on to a USB device and then later archived the files using a different archival application (with the final archive likely coming directly from the USB device).

With the transfer speed issue alone, the point that seems to be consistently overlooked is that the speeds were consistent with USB device transfer rates in practice.

Most critics also fail to make any mention of the other discoveries made (eg. breadcrumb fabrication on June 15th, 2016 being another significant piece of the puzzle).

Finally, the speed cited by Forensicator was the average rate. If the speed being "too fast for the Internet" was really the main point he was making there, he could have used the peak rate which is considerably higher (and yes, this was certainly fast for the Internet and beyond the rates available in Romania, Russia, etc in 2016).

"Doesn't Prove The DNC Wasn't Hacked"

Many articles are pushing this frame because it's an argument they can win. To be fair, this may be more in line with the way Lawrence wrote his article, but just to be very clear, neither my nor Forensicator's work claims to "prove that the DNC wasn't hacked", what we've studied is specifically to do with the Guccifer 2.0 persona.

Forensicator's analysis demonstrates there's a higher probability that someone in the US was moving files around by USB device as late as September and that these files were subsequently released by Guccifer 2.0 in the NGP-VAN archive.

The research on my site comes from several sources and covers many sub-topics, but in general, it demonstrates from numerous angles that Guccifer 2.0 seems to have been a phony "Russian hacker" persona.

While the presence of malware has been used to argue that the DNC had its emails hacked, the truth is that there's been no evidence showing that the malware was used to access or relay any internal DNC emails to unauthorized parties.

TheHill (14 August 2017)

On Monday, 14 August, 2017, The Hill published an article titled "Why the latest theory about the DNC not being hacked is probably wrong".

Starting with the headline, it should be noted that Forensicator doesn't argue that the DNC wasn't hacked in his study.

The theory behind the report is that it would have been impossible for information from the DNC to have been hacked due to upload and download speeds.

So, it would seem that this is criticism of what was either stated in the VIPS memo or Lawrence's article.

The claims have slowly trickled through the media, finding backers at the right -wing site Breitbart in early June.

And also The Nation, Salon, Bloomberg, and various independent media outlets but by singling out Breitbart, it's useful for framing this as thought it were a right-wing thing.

It seems as though the Hill is portraying Breitbart (renowned for being right-wing) as though it was related to the origination of the story.

The claims are based on metadata from the leaked files, which were published on WikiLeaks during the 2016 presidential election.

That's false.

It was metadata from files Guccifer 2.0 released in September of 2016 that were unrelated to files published by Wikileaks.

A blogger named "The Forensicator" analyzed the "last modified" times in one set of documents released by Guccifer 2.0. Based on the size of the documents and the times they were downloaded, Forensicator calculated that a hacker was able to copy the files at a speed of more than 20 megabytes per second.



That is faster than consumer internet services in the United States can upload documents.



As a result, Forensicator concluded that the documents could not have been copied over the internet. Instead, someone with physical access to the network must have copied them in person to a USB drive, the blogger concluded.



It wasn't that the rate is over a certain speed that's the important thing here, it's that the speed matched with what USB2.0 transfer rates were, when tested, using the exact same files (from Guccifer 2.0's archive).

This excludes the FAT filesystem anomalies observed that also serve to provide additional indicators of thumb drive usage (though, at a later stage, in September).

This excludes the timezone information that is also significant.

But, said Barger and other experts, that overlooks the possibility the files were copied multiple times before being released, something that may be more probable than not in a bureaucracy like Russian intelligence.



Forensicator refers to multiple copying operations and doesn't rule out the possibility of files being transferred prior to the earliest dates observed. The assumption made here is not made in Forensicator's work.

"A hacker might have downloaded it to one computer, then shared it by USB to an air gapped [off the internet] network for translation, then copied by a different person for analysis, then brought a new USB to an entirely different air gapped computer to determine a strategy all before it was packaged for Guccifer 2.0 to leak," said Barger.

Yes, things that we have no indication of could have occurred, in theory, but convoluted and speculative theories here step away from observations of the available evidence.

Forensicator analyzed, made observations and gave the most probable explanations based on those observations. It is NOT incumbent on him to disprove unsubstantiated theories people can think up in order to demonstrate that his findings are the most probable.

If Barger sees anything that indicates an alternate theory is more probable, any contributions of evidence/observations or evidence-based counter-arguments to help improve everyone's understanding here would certainly be welcomed.

Hultquist said the date that Forensicator believes that the files were downloaded, based on the metadata, is almost definitely not the date the files were removed from the DNC.

Forensicator didn't argue that the files were downloaded or that this was the date the files were exfiltrated from the DNC, he simply points to the earlier transfer of DNC files observed (without arguing where the files came from) and investigated the characteristics of it.

Even if there were no other scenarios that would create the same metadata, experts note that metadata is among the easiest pieces of forensic evidence to falsify.

Indeed, we see a lot of Russian metadata scattered on the surface and this was quickly found, however, with the material Forensicator analyzed the indication of a US timezone was far more obscure.

When we see conflicting locales in metadata we should, of course, ask "to what end?" or "for what purpose?" for each conflicting indicator.

As we already know Guccifer 2.0 Russianness from day one was partly reliant on fabrications, we know he had intent to be seen as Russian. We know he claimed to be Romanian. But why would an indicator pointing at a US timezone be discoverable?

Which indicator is planted and which is a genuine operational security mistake?

In Forensicator's case, we are talking about relative time differences between file modification timestamps of contemperaneous files that were caused by using different archiving applications - this is something that would rarely be noticed even by cybersecurity experts and so it is an unlikely candidate for forging metadata.

The work presented on both Forensicator's and my site, demonstrate far greater consideration given to the integrity of metadata than I've seen in any of the work that preceded our efforts.

It would be far more difficult to fabricate other evidence pointing to Russia, including the malware only known to be used by the suspected Russian hackers, and internet and email addresses seen in previous attacks by that group.

This is where the debunking of Guccifer 2.0 takes a back seat so that they can argue that the research fails to entirely disprove that the DNC was hacked, pointing to the malware discovered and other things that are not demonstrably related to Guccifer 2.0.

It's also interesting to see a claim that the malware discovered was "only known to be used by the suspected Russian hackers" when it's been shown that one piece of malware attributed to the "Russian hacking" effort actually had Ukrainian origins and in the case of "X-Agent", cybersecurity analyst Jeffrey Carr has previously reported that Ukrainian hackers have copies of this malware too (and, of course, malware can be reverse engineered and repurposed).

It's really not that difficult to leave behind Russian themed breadcrumbs either. You could:

Choose to use a Russian VPN service to cover your tracks and make no effort to mask that IP (eg. via Tor)

Use an email service provider that forwards that IP address to recipients to make sure people you contact can figure out your use of a Russian VPN service without even needing the assistance of service providers.

Send journalists needlessly edited documents with cyrillic metadata plastered all over them using the above setup.

"Accidentally" drop a Russian smiley into your first ever blog post even though it's not something you habitually use.

Contrinue needlessly editing documents while your local time and language settings are in line with Russia.

...and convince a lot of people that you're Russian.

Forensicator's claim that 20 to 25 megabyte per second downloads would be impossible over the internet also raised eyebrows.

As mentioned previously, if Forensicator's conclusion #7 was really about making that argument he would have surely used the peak rate instead of the average rate, wouldn't he?

In the end, Fidelis, FireEye, SecureWorks, Threat Connect and other CrowdStrike competitors all confirmed Crowdstike's results.

Yes, a lot of firms did review CrowdStrike's evidence. Yet, little of it was directly related to Guccifer 2.0. ThreatConnect even pointed out that Guccifer 2.0's claimed breach method was implausible.

The intelligence community, including the CIA, FBI and NSA, also claims to have evidence the attacks were coordinated by Moscow, though they have not released their evidence to the public.

The discoveries made by Forensicator and others have come AFTER those assessments were made.

Of course, claiming to have evidence is all good and well, except, as the above statement concedes: "they have not released their evidence to the public".

"I find it interesting that people are so eager to believe that Dmitri Alperovitch is biased, but willing to accept the forensics of an anonymous blogger, with no reputation, that no one knows anything about," said Hultquist.

I find it interesting that Hultquist is overlooking Dmitri's track record of blaming things on Russian hacking, his past statements about the Russian government and his ties to a think tank that is extremely hawkish with regard to Russia.

"When this many brands agree on something, come together to provide several different aspects of the attack, sometimes it's true."

And sometimes "brands" end up reviewing evidence collected by a firm that was not truly independent and will then draw predictably similar conclusions from it.





Washington Post (15 August 2017)

On Tuesday, 15 August, 2017, Erik Wemple of the Washington Post, wrote an article titled "The Nation is reviewing a story casting doubt on Russian hack of DNC", skipping past the introduction that just serves to drag Katrina vanden Heuvel (the Nation’s editor and publisher) into the spotlight, we get straight down to misrepresentations.

the piece relies to a significant degree on a finding that hackers working remotely couldn’t possibly have downloaded all the information that they allegedly secured and passed along to WikiLeaks.

Whether speeds were obtainable or not misses the point and misrepresents what the findings actually implied.

Forensicator also mentioned nothing about WikiLeaks.

The next part is more substantive because Lawrence's framing adds specificity which the original research doesn't claim to demonstrate:

Though Lawrence’s writing on this topic is impenetrable, he cites a number of researchers and groups — including Veteran Intelligence Professionals for Sanity (VIPS) — who have examined the official case for a DNC hack. Among the key actors is someone known as the “Forensicator,” an independent researcher of unknown identity. Here’s how Lawrence frames this individual’s contributions:



Forensicator’s first decisive findings, made public in the paper dated July 9, concerned the volume of the supposedly hacked material and what is called the transfer rate—the time a remote hack would require. The metadata established several facts in this regard with granular precision: On the evening of July 5, 2016, 1,976 megabytes of data were downloaded from the DNC’s server. The operation took 87 seconds. This yields a transfer rate of 22.7 megabytes per second.



These statistics are matters of record and essential to disproving the hack theory. No Internet service provider, such as a hacker would have had to use in mid-2016, was capable of downloading data at this speed. Compounding this contradiction, Guccifer claimed to have run his hack from Romania, which, for numerous reasons technically called delivery overheads, would slow down the speed of a hack even further from maximum achievable speeds.



Due to the files actually contained in the archive, we have to leave open the possibility that the files could have been acquired from a number of locations, however, this whole crusade to determine if transfer speeds are attainable continues to blindly overlook an incredibly significant point:

In testing (emulating various different transfer methods on the files involved), the speeds observed in the timestamps coincided with the results from testing USB2.0 memory stick devices. This is a fundamental point that critics are tripping over themselves to ignore and while they misrepresent this, they also tend to omit the other FAT filesystem indicators discovered and more.

To save time, for the remainder of this article, I'm going to breeze past the griping over whether speeds were obtainable as it's just a misrepresentation of Forensicator's actual conclusions and the basis for them and I'm sure readers will be getting sick of the repetition.

Maybe the Nation should have done the technical patdown prior to publication. “Most households don’t get internet speeds that high, but enterprise operations, like the DNC — or, uh, the [Russian] FSB — would have access to a higher but certainly not unattainable speed like that,” wrote Brian Feldman in a debunking in New York Magazine.

Feldman didn't debunk anything (as I've already covered), he misrepresented things to create a strawman, just like Uchill did for TheHill and just like Wemple has already done in this piece.

Further into the piece we see Breitbart get dragged in. [These mainstream authors sure seem to love shifting things into partisan frames where it's unnecessary and irrelevant!]

So what next? Wemple presents his readers with Sam Biddle mistaking a salutation to someone who's username ends in "martyr" as being a statement from Patrick Lawrence about Seth Rich being a marytr, just to try to undermine him.

Of course, you need to be observant to spot the mistake, something that Wemple and Biddle both seem to have missed:

On the subject of Sam Biddle, let us not forget that this is the journalist that reported a date in the body content of the Trump Opposition Research document as "metadata" (it was not and the actual metadata was notable because it showed the document as being created on 15th of June 2016, the day the Guccifer 2.0 appeared, rather than the date Biddle had reported).

Biddle misreported some critical data back in 2016 and within the last couple of months he's also written a highly speculative piece trying to tie Don Trump Jr to Guccifer 2.0's activities that happened days apart from each other with no causative link demonstrated.

That's enough Biddle for now, moving on...

A January report from the U.S. intelligence community found that Russia had indeed mounted a campaign to influence the election, and numerous investigations

The usual appeal-to-authority logical fallacy emerges. In this instance it's referencing the ICA from January, an evidence-free assessment from a group of hand-picked agents from three agencies that came out before these new discoveries were made.

The rest of the article veers off into another topic that it seems to try to conflate this with (in which a broader range of dissent was shown on the subject of The Nation's coverage of Donald Trump and his alleged ties to the Russian government).





PwnNoneOfTheThings

On Tuesday, 15 August, 2017, Matthew Tait (@pwnallthethings, on Twitter), so eager to try to lay the boot in, fell on his face by the time he got to the 2nd tweet of his thread and proceeded to "pwn" precisely none of the things he was trying to tackle. Let's take a look:

The research doesn't cover the rate at which files were added to an archive.

There's no "switcheroo", the whole point is that, in testing, this was consistent with USB2.0 and there appears to have been USB memory stick usage occurring based on FAT filesystem anomalies noted as late as September 2016, with transfers apparently occurring in the Eastern time zone.

Actually, Forensicator's site covers an analysis of the NGP-VAN archive relating to Guccifer 2.0 specifically (and mine relates to Guccifer 2.0). Neither site had made any effort to tackle the malware discovery that CrowdStrike reported to date, so Matt is making an incorrect generalization.

Forensicator is only interested in what is most probable, he doesn't have a history of propping up either side of the argument and so isn't personally invested in the outcomes, unlike other parties.

There is nothing to show that the malware relayed any of the files or accessed emails. The information made public by CrowdStrike was mostly just a bunch of IOCs without any context and without identifying which ones were related to which alleged incident that occurred. This is something I tried asking them about a long time ago and even queried in an open-letter to them over 3 months ago and they've not responded.

Update (December 2019): Since this article was originally published Forensicator posted a follow-up with a few clarifications and had already, at that time, posted an article specifically about the speeds making it clear what his argument was (that I had forgotten to mention in this article).

Several VIPS members and associates carried out their own testing in 2018 and found that it was still difficult to get transoceanic transfers at the average rate observed in Guccifer 2.0's data, never mind the substantially higher peak rate.

Also, since this article was originally published, a number of additional timezone indicators pointing to Guccifer 2.0's activity being in various US timezones (EDT, PDT and CDT) have been discovered. A summary of these along with links to the studies/research are covered in an article titled "Guccifer 2.0's US Time Zone Indicators" that was published in March 2019.

When it comes to Guccifer 2.0's activitives, we now have more unique types of indicator pointing at US timezones than we do Russian. These were, generally, harder to discover than the Russian breadcrumbs left behind, some of these were recorded independently by third parties (Twitter & WordPress) and there's no reasonable explanation for their existence if we assume the attribution of Guccifer 2.0 to the GRU is correct.

(No doubt we'll see some suggest that it's just a Russian trick to deceive and confuse digital forensics investigators but it's illogical that they would plant breadcrumbs that are harder to find whilst being unaware of all the Russian breadcrumbs they were leaving scattered on the surface through needless edits of documents).

Unsurprisingly, our critics in the mainstream press have avoided disclosing any of these additional discoveries to their readers.