The Forensicator takes a closer at Guccifer 2’s HRC_pass.zip file and reaches the surprising conclusion that its source data was likely copied from a thumb drive, at a location somewhere in the US Central Timezone.

In When USB’s Fly: Recent Research Supports Forensicator’s Controversial Theory, we highlighted a discovery made by another researcher, Bruce Leidl (@bleidl) who analyzed the first Zip file archive that Guccifer 2 published (five/so days after his debut). Leidl analyzes information in Guccifer 2’s Zip file and concludes that the file was written on a computer that had Central Timezone settings in force when the Zip file was created.

As Leidl noted, this Zip file is written in a format that records last modified time, creation time, and last accessed time for each file. These times are recorded as high precision values, to the nearest tenth of a microsecond (100 nanoseconds). This is the time format used on Windows NTFS file systems.

Exploring the File Creation Times Recorded in HRC_pass.zip

Leidl only shows us the entry for the top-level “HRC” directory, which was created and last modified on June 20, 2016. This is a day before Guccifer 2 announced the availability of this Zip file in a blog post.

Let’s take a look at the individual files, sorted by their create times.

We see that these files were created on 2016-06-20, which agrees with Leidl’s analysis of the metadata for the top-level directory (“HRC/”). The create times have high precision NTFS timestamps; we show them to the nearest millisecond. Using these create times, we can estimate the time taken to copy those files from the source media to the local hard drive. The final Zip file (HRC_pass.zip) was created from these files on the local hard drive. This calculation is shown below.

Tests Confirm that Guccifer 2 Likely Copied the Data from a Thumb Drive

To confirm our observation that this 14.8 MB/s copy rate is typical for a USB2 thumb drive, we ran a test. We copied this collection of files from a thumb drive to the local hard drive. We see the following progress bar. The thumb drive was plugged into a USB2 port.

NOTE: when testing copy speeds we first eject the USB thumb drive and re-insert it before running the test. This ensures that the data has not been cached from a previous test. Also we used 7zip on a Windows system to extract the files; this restored the high precision file creation times recorded in the Zip file.

Conclusion #1

When we consider these copy speed observations, the previously noted FAT times, and the Central Timezone finding, we conclude:

The HRC_pass.zip data was likely copied from a thumb drive, physically located in the US Central Timezone.

Files Seem Unrelated to DNC Leak

When we look at the file last saved times for the Word documents in HRC_pass.zip, we see that they were mainly saved in 2015, a year ahead of the DNC leak.

Further, they were almost all exclusively authored by Jeremy Brinster. Brinster was a DNC staffer/consultant in 2015 and 2016. Brinster appeared prominently in the second WikiLeaks release of DNC emails, which we detail in Sorting the WikiLeaks DNC Emails.

Extremely Slow Acquisition Times, Run Counter to Claims in the GRU Indictment

When we look at the file last modified times, we see indications that the files in HRC_pass.zip were acquired at a surprisingly slow rate (26 kilobytes/sec, average).

This observation was not lost on several researchers; Leidl started this thread. Excerpts follow.

Leidl suggests a scenario where X-Tunnel is used to transmit the data, but it does so by polling the upstream receiver (“beaconing”) and limiting the block size sent in each transmission unit. If a long, multi-second interval is used along with a modest block size, the overall transmission speed will be slow. This may well be the case; however, we have no way of knowing if X-Tunnel was in fact used, nor its transmission characteristics.

The indictment asserts a different modality, at least for data it alleges was ex-filtrated from the DNC. The indictment describes a scenario where data is compressed locally and then the compressed data is sent to a leased server in Illinois. If that method had been used: (1) in one scenario we may have seen original last modification times preserved – we would have been unable to estimate copy speeds. (2) In another scenario, where files were first copied locally before being compressed, we would expect to see a very high apparent transfer speed due to the local file copy operation. Further, depending upon the compression format used (Zip, 7zip, RAR), we might expect higher precision last modification times to be present. Instead, we see extremely low speed transfer times and FAT signatures.

Conclusion #2

We conclude that the source data was first ex-filtrated to an intermediate location and this ex-filtration was done at a very slow transmission rate (26 Kilobytes/sec). Based on the last modification times, the data was ex-filtrated on April 26, 2016. From there, the data was copied to a thumb drive. Ultimately, the data on this thumb drive was extracted onto a computer system located in the US Central Timezone. There, the final HRC_pass.zip file was built on June 20, 2016.

Moscow Calling: Pick up on Satcom #1

The exceedingly slow transmission rates are suggestive of another possible ex-filtration mechanism: a satellite modem. Here, Wikipedia tells us (Satellite Internet Access):

We realize that satellite communication technology continues to evolve and that higher speed access is available. However, based on the average uplink rate of 256 kilobits/sec shown above, we point out that this rate is rather close to the 26 kilobytes/sec rate that we calculated. Dividing 256 kilobits/sec. by 8 we arrive at 32 kilobytes/sec. When we factor in the observation that the files were transmitted one at a time, we expect that the high latency found in satellite communications would affect overall bandwidth. Thus, the observed extremely slow transfer rate of 26 kilobytes/sec is in line with what we might expect from a mid-range satellite modem.

Acquisition and Copy Operations Occurred during US Working Hours

The Zip file metadata indicates that the files in the HRC_pass.zip archive were acquired on April 26, between 1:00 PM and 4:30 PM, Eastern Time. The files were copied from a thumb drive to the hard drive before creating the HRC_pass.zip archive. This copy operation occurred on June 20 at around 2PM, Central Time. Both time periods are in normal US working hours. Although this is only a weak indication of attribution, Russian working hours have been mentioned as a possible sign that the alleged hack of the DNC originated in Russia; therefore, we mention US working hours here.

Some files in the cf.7z Archive were also Copied on June 20, 2016

Guccifer 2 published another archive file called cf.7z a few months later ( October 14, 2016) than HRC_pass.zip. We analyze those files in Guccifer 2.0 CF Files Metadata Analysis. There are various batches of files in that archive, with differing patterns of last modified times. Most of those files can be attributed to the DCCC, where HRC_pass.zip has content authored by a DNC researcher.

One batch of about 1,000 files in cf.7z has last modified dates of June 20, 2016; their file times are about 20 minutes later than those in HRC_pass.zip. We estimate the copying time for those files at about 280 KB/s, as shown below.

Some Files in cf.7z also have very Slow Transfer Rates

The very slow transfer rates found HRC_pass.zip can also be found in a batch of files within another Zip file that Guccifer 2 published several months later, called cf.7z. Those files are dated May 23, 2016. Where HRC_pass.zip had DNC-related (or Clinton campaign-related) content, the files in cf.7z have DCCC content. Also, recall that May 23 was an important date in the DNC email timeline. In Sorting the DNC Emails, we conclude that over two-thirds of the DNC emails were acquired on May 23 – a few hours before the cf.7z files, referred to below, were acquired.

Divergences from the GRU Indictment

The July, 2018 DOJ indictment of twelve GRU agents claims the following (emphasis added):

On or about April 18, 2016 , the Conspirators activated X-Agent’s keylog and screenshot functions to steal credentials of a DCCC employee who was authorized to access the DNC network. The Conspirators hacked into the DNC network from the DCCC network using stolen credentials. By in or around June 2016, they gained access to approximately thirty-three DNC computers.

, the Conspirators activated X-Agent’s keylog and screenshot functions to steal credentials of a DCCC employee who was authorized to access the DNC network. The Conspirators hacked into the DNC network from the DCCC network using stolen credentials. By in or around June 2016, they gained access to approximately thirty-three DNC computers. For example, on or about April 22, 2016, the Conspirators compressed gigabytes of data from DNC computers, including opposition research. The Conspirators later moved the compressed DNC data using X-Tunnel to a GRU-leased computer located in Illinois.

The April, 2016 time frame is potentially relevant, because we see April 26, 2016 last modification dates in the HRC_pass.zip file. This is close in time to the April 22 date mentioned above, but our analysis suggests that acquisition of the files in HRC_pass.zip appears unrelated to the alleged hack of the DNC. The following observations support our conclusion that the acquisition of the files in HRC_pass.zip is unrelated to the DNC hack scenario described above.

The HRC_pass.zip files were acquired on April 26, four days after the alleged DNC hack.

the alleged DNC hack. If the files were first compressed and then transferred via X-Tunnel (as described above), we would expect to see either (1) indications of local copying, which would exhibit a much higher rate than 15 MB/s, or (2) the original last modified dates would have been preserved.

Instead, we see evidence of a several extremely slow transfers, averaging 26 kilobytes/s. We have no apriori reason to assume that X-Tunnel would be this slow and in fact for the cf.7z DCCC sourced files copied 40 minutes later (on June 20) we see an average transfer rate of 280 Kilobytes/s, which is still slow, but 10X faster than what we see for the files in HRC_pass.zip.

The indictment says the files were ex-filtrated over the Internet. Counter to that claim, we conclude that after acquisition, they were likely copied to a thumb drive. Per our analysis, this thumb drive was transported to a location within the US Central Timezone. In our opinion, this thumb drive was the data source for the files in the final Zip file, HRC_pass.zip.

The GRU Indictment and the Mueller Report Miss an Important Detail: What Happened to the Data that was Copied to the Illinois Server?

The GRU indictment tells us that a large quantity of DNC data was compressed and ex-filtrated to a leased server in Illinois. However, we are not told what next happens to that data. Was it copied directly back to Russia? Where ever the data was copied, how did it make its way to WikiLeaks? For the DNC emails, we’re told that a “1 Gb or so archive” may have had some DNC emails, but this idea is stated more as theory and suspicion than fact. We are given no details on how the DNC emails and Podesta emails were handed off to WikiLeaks.

The following diagram shows the topology described in the GRU indictment, along with the missing link back to Moscow, or wherever it may have gone after being copied to the Illinois server (h/t Adam Carter).

Placing WikiLeaks aside for the moment, consider that Guccifer 2 dumped several Gigabytes of data via his blog and various file sharing sites. If Guccifer 2 was working out of Moscow as claimed, where did he obtain the data? Was it all copied back to Moscow and then disseminated from there? How do we accept the idea that Guccifer 2 operated only from a remote location in Russia, when we have shown evidence that suggests the use of a thumb drive at a US location?

Our analysis concludes that Guccifer 2 used a thumb drive in the US Central Timezone (on/before June 20, 2016) and in the Eastern Timezone (on/after September 1, 2016). Those conclusions run counter to the claims in the GRU indictment.

This New Thumb Drive Finding Further Strengthens Forensicator’s cf.7z Hypothesis

Leidl’s discovery went generally unnoticed; however, it has relevance to Forensicator’s hypothesis that some/all of the files in the cf.7z archive file were copied to a thumb drive while located in the Central Timezone and then were subsequently copied back onto a system in the Eastern Timezone. That theory may have seemed tenuous at the time, but is now looking more reasonable when we combine the Central Timezone finding with our new discovery that the data was likely copied to a thumb drive.

It seems obvious: Someone had to plug in a thumb drive in order to access its data. Thus, if this finding can be confirmed, then someone associated with Guccifer 2 was physically present somewhere in the US Central Timezone on June 20, 2016 (when the files were copied from a thumb drive). Although this finding relates to the HRC_pass.zip files, it demonstrates with high likelihood that Guccifer 2 operated out of the Central Timezone, US (as well as other places in the US).

In August of last year (2018), Forensicator came under fire for suggesting a sequence of events that might explain a one hour difference observed between the files in one of the archive files published by Guccifer 2 and another. The report that prompted the controversy was Guccifer 2.0 CF Files Metadata Analysis.

In that report, Forensicator proposed a scenario where a FAT-formatted media (e.g., USB thumb drive) was written while in a location where Central US timezone settings were in force. This FAT-formatted media was then transported to a location somewhere in the Eastern US timezone. There, the material on the thumb drive was copied to an NTFS-formatted hard drive and the final (cf.7z) 7zip file was built from the files present on the hard drive. The result of this long chain of events is a series of cf.7z files that appear to be time stamped one hour earlier than those in the NGP/VAN archive.

Duncan Campbell penned a critical report that was published in Computer Weekly (July 31, 2018). Mr. Campbell threw a wide net and pulled various people into his story of alleged pro-Kremlin conspiracy. Forensicator challenged Campbell’s hyperbolic claims in The Campbell Conspiracy. Forensicator’s proposed scenario mentioned above, in particular, rubbed Campbell the wrong way. Campbell said “The obvious, simple explanation was that hackers were manipulating computer clock settings” and “the Forensicator came up with a comic and far-fetched explanation to avoid talking about clock tampering.”

Taking into consideration this new evidence of thumb drive usage at a location in the US Central Timezone – will Campbell now reconsider and accept the idea that there might be reasonable explanations for the observed fact pattern other than simply, “Guccifer 2 ate my homework”?

Disclaimer

To the degree that some theories we develop suggest that Guccifer 2 had team members or help (physically) inside the US, we emphasize that our theories should be considered hypothetical. The DOJ indictment of July 13, 2018 accuses twelve (12) Russian GRU agents of being behind the Guccifer 2 persona. The indictment makes no mention that these agents may have received help within the confines of the United States. We note that indictments are not obligated to list all the facts in a case; there might be other information that hasn’t been disclosed publicly which would invalidate our theories or interpretations of the facts.

Closing Thoughts