Updated 8/14/17 to include responses from Forensicator and additional information.

The question of Russia’s culpability in the 2016 hacking of the DNC is a settled matter in the view of the U.S. intelligence community and most cybersecurity experts. But, for President Donald Trump’s supporters it’s all a big lie, a fable concocted by Democrats, the media and the “deep state” to excuse Hillary Clinton’s loss and undermine Trump’s victory. Instead they contend, the source of the leaked DNC emails was a disgruntled DNC staffer rather rather than Russian hackers. This week, they got new ammunition.

An article published by journalist Patrick Lawrence in The Nation claims a new study raised “big questions” about the DNC hack. It quickly echoed around the right-wing blogosphere under headlines proclaiming that the Russian hacking narrative had been debunked. It hadn’t

Lawrence’s story was based principally on an analysis that had already been making the rounds on right wing websites for several weeks authored by an anonymous cybersecurity expert calling himself “The Forensicator.” His report first appeared a month ago, on July 9th, two days after Russian President Vladimir Putin flatly denied that his government was responsible for the hacks of the DNC in a meeting with President Trump on the sidelines of the G-20 meeting in Hamburg. Now there was evidence that purported to back that up.

The report claims to show that at least one batch of files made public by the Guccifer 2.0 entity last September were copied locally, rather than hacked remotely, on a machine set to the U.S. Eastern Time Zone. Some have seized on this as absolute proof that a DNC insider, not Russia was responsible for the DNC hacks. That substantially overstates the case.

The Forensicator does not claim to debunk the intelligence community’s conclusion that Russia was responsible for hacking the DNC, rather he says he is merely raising questions that demonstrate this conclusion merits greater scrutiny. Upon close reading, it might not even do that much.

Bytes and Bits

The analysis he presents is dense and technical. But, beneath a lot of jargon and meandering logic, he makes two core points. First, he claims that the data was transferred at a rate of 23 megabytes per second, which would translate to 184 megabits per second in the units used to measure download speeds of consumer internet connections. This, he says, suggests that the files must have been copied locally. Second, he claims timestamps on the files establish that they were copied onto a computer set to the U.S. Eastern Time Zone. But, the evidence he presents in support of these “findings” is not overwhelmingly convincing.

For example, a download speed of 23 MB/s is quite fast, but hardly impossible to achieve, especially for a nation-state hacker. Further, changing the time zone settings on a computer is a simple matter. It took your humble writer all of five seconds to switch my desktop computer to the Moscow time zone…and, what do you know, the time stamps on all my files changed to Moscow time too.

Following this logic, I’m now a Russian hacker. Who knew? In fairness, Forensicator addressed this point when commenters raised it. “Some reviewers have noted that Guccifer 2 could have manually set his timezone to Eastern time – [this is] true,” he replied. In response to some questions we posed to him, Forensicator told us that he didn’t see a reason that a hacker would do so.

“The method used to determined that East Coast time zone settings were in effect is non-obvious and unlikely to have been anticipated by individual(s) linked to Guccifer 2. Thus, it is highly unlikely that Guccifer 2 intended to communicate that fact. The argument against the idea that Guccifer 2 set the time zone on his computer to Eastern Time is that Guccifer 2 spent a lot of time and effort to convince everyone that he is a Romanian hacker. Many have challenged that claim, but no one has suggested that he might live on the East Coast.”

Still, switching time zone settings might be a prudent thing any hacker would do. In fact, thanks to Wikileaks; Vault 7 dump of CIA documents, we know that obscuring timestamps is standard operating procedure, for U.S. cyber-spies. A CIA “Dos and Don’ts” documents for developers warns:

“DO NOT leave dates/times such as compile timestamps, linker timestamps, build times, access times, etc. that correlate to general US core working hours (i.e. 8am-6pm Eastern time)”

The reason seems obvious enough. Doing so:

“Avoids direct correlation to origination in the United States.”

It seems very unlikely that Russian hackers would not employ similar tradecraft. But, as Forensicator pointed out in his reply to me, among the circumstantial evidence for Russian attribution is the fact that they were more active during business hours in Russia:

“Per this NYT article, dated Dec. 13, 2016, states: ‘Another clue: The Russian hacking groups tended to be active during working hours in the Moscow time zone.’ in reference to Cozy Bear and Fancy Bear and their alleged DNC hacking activities. Apparently, those Russian hackers didn’t get the Vault 7 memo. There are several other “bread crumbs” that have led back to Russia; the presence of obvious clues has raised eyebrows among a few security researchers.”

Adjusting the hours people work is a good bit harder than just switching time zones. It may be that doing so just wasn’t worth the hassle. Still, Forensicator could very well be right. It is plausible that the Guccifer 2.0 was working in the U.S. Eastern Time Zone, which raises the tantalizing possibility that the DNC leak operation was aided from within the U.S. That does not mean that it was a DNC insider doing the helping. Russia has more intelligence assets in the U.S. that at any time in the past 15 years.

DNC Lockdown

None of this really proves that the files were copied locally from a DNC computer. In fact, there’s pretty good reason to suspect they weren’t. By July 5th when the files were copied, Guccifer 2.0 had already been releasing DNC documents for weeks and the DNC was on full IT security lockdown.

It seems incredibly unlikely that a DNC insider would risk going back for more at that point. Given the intense security that had by that time been put in place at the DNC, a huge transfer of hundreds of documents would have surely set off alarms with access logs would pointing right at him. It seems like a sure fire way to get caught.

If we were able to view the contents of the July 5th Guccifer 2.0 7z archive, we might be able to tell when they were exfiltrated from the DNC servers by verifying the dates the files were last modified by actual DNC staffers. While we do not have access to the contents of those files, we do know that the most recent emails in the Wikileaks email dump were dated May 25 — more than a month earlier. If a DNC insider was responsible for both sets of documents and was actively removing files through July 5th, it seems odd that he would have left a month’s worth of emails on the table.

A Simpler Explanation

There’s a simpler explanation. It seems far more likely that the files had been previously downloaded from the DNC by hackers to a desktop computer or central sever. On July 5th, they were simply copied from there to a laptop or another desktop using a LAN connection or USB drive. This seems like exactly what you might expect to see in a sophisticated state-sponsored hack and is entirely consistent with all the evidence presented.

Forensicator conceded this was possible in response to a commenter who raised this. “Some have opined that if Guccifer 2 pulled data from his previously claimed hack and simply copied that data to say his local hard drive on July 5, 2016 that the pattern present in the metadata might result; [this is] also true,” he wrote.

There’s little in this analysis that challenges the intelligence community’s assessment in any meaningful way. To his credit, Forensicator has engaged skeptics — including us — cheerfully and substantively. While his responses to not give us great confidence that he has found anything resembling conclusive proof, that, he says, isn’t his point. “In my view,” he wrote in a comment, “the ‘standard of proof’ should only be sufficient enough to encourage a formal, thorough, investigation of the various claims of Russian hacking and interference.” That’s a low bar that this study may clear, if only barely.

Read More

Read Forensicator’s response to us here.