Disobedient Media provided the first media coverage of the findings of the independent analyst known as the Forensicator. The Forensicator’s work and our coverage of their analysis was cited by Veteran Intelligence Professionals for Sanity (VIPS) in their memorandum to President Trump questioning Russian hacking allegations. The Forensicator’s groundbreaking analysis, the VIPS memorandum, and the immense work of Adam Carter have been instrumental in forcing legacy press and establishment figures to face a fundamental lack of evidence supporting Russian hacking claims.

The Forensicator‘s latest analysis was sparked in part by twitter user Stephen McIntyre’s observation regarding the so-called “Clinton Foundation” (cf.7z) file. The alleged Clinton Foundation information is separate from NGP-VAN data, though both were published by the Guccifer 2.0 persona.

The Forensicator’s report illustrated the time stamps used in their latest analysis of the “Clinton Foundation” files:

Image credit: The Forensicator. Used With Permission.

The Forensicator prefaced their discussion of the latest findings with Disobedient Media by emphasizing that Guccifer 2.0’s use of the title “Clinton Foundation” was potentially misleading. They noted that despite the title, the file may not have actually come from a “hack” of the Clinton Foundation. When the Forensicator analyzed the files attributed to The Clinton Foundation, they confirmed that some were dated 7/5/2016; those files fit into gaps in the previously analyzed NGP/VAN data.

McIntyre’s tweets pointed out an observable time zone difference of an hour between the NGP-VAN files and the purported Clinton Foundation files. The Forensicator explained that the latest available information raised questions as to whether one person or multiple individuals were responsible for copying the files published by Guccifer 2.0. They stated that the available evidence is not sufficient to draw a strong conclusion on that issue.

The Forensicator addressed the time zone issue in his latest findings:

Image credit: The Forensicator. Used With Permission.

The Forensicator additionally told Disobedient Media that in their earlier analysis of the NGP-VAN data, a copying event at a later date had raised questions as to the number of  “team members” involved. The Forensicator told Disobedient Media that the the data in the “Clinton Foundation” disclosure introduces new content that has time stamps which fit into the NGP/VAN timeline. This observation supports their conclusion that both the NGP/VAN files and the Clinton Foundation files were selected from a larger group of files dated 2016-07-05.

The Forensicator further explained to us that these new files either fit into gaps previously observed in their analysis of the NGP/VAN files, or preceded them by just one minute. This, they said, strengthens their earlier analysis of the NGP-VAN meta data, and suggests that the “Clinton Foundation” files was pulled from a much larger set of data, then curated.

The Forensicator also emphasized that “the entire cf.7z archive has two second granularity,” indicating that the Clinton Foundation files were copied to a FAT-based media (most likely a thumb drive) before the final 7zip file was built. They added that the files appear to have been copied to a Windows PC before the final 7zip was constructed.

Specifically, their report relates the following:

Image credit: The Forensicator. Used With Permission.


Additionally, the Forensicator concluded that the presence of “last mod times” that are only accurate to 2 seconds, makes it impossible to estimate transfer speeds. In contrast, they said, most of the NGP/VAN files had “sub microsecond time resolution,” which made it possible to estimate transfer speed with some confidence.

The Forensicator explained that the Clinton Foundation files had many internal time gaps that the NGP/VAN files did not, adding that the time gaps suggested that one directory in that archive was built from documents originating in multiple other directories. The Forensicator emphasized that the Clinton Foundation files (dated July 5, 2016) appear to have been carefeully selected.

It is important to note that the Forensicator’s findings indicate that the one hour difference between the files in the Clinton Foundation collection and the NGP/VAN collection is partially explained by a first initial copy to a FAT-based media – most likely a thumb drive – while Central time zone settings were in force.

The device was then transported to a system where Eastern time zone settings were in force and the final 7zip file was built there. The Forensicator said clearly that they are unable to speculate as to the identity or motivation of the individual who copied the files in the Central time zone.

It is a testament to the work of the Forensicator that they analyzed the available evidence from Guccifer 2.0 without working towards a biased or preconceived outcome. The newest report raises questions as to how many people were involved with copying these files. However, if The Forensicator’s work is proven to be correct, it corroborates their earlier findings regarding the NGP/VAN files, which fundamentally question the Russian hacking narrative.

Leave a Reply