Source: Forensicator, When USB’s Fly: Recent Research Supports Forensicator’s Controversial Theory. Republished with permission.
In August of last year (2018), Forensicator came under fire for suggesting a sequence of events that might explain a one hour difference observed between the files in one of the archive files published by Guccifer 2 and another. The report that prompted the controversy was Guccifer 2.0 CF Files Metadata Analysis. The key findings that ignited a dismissive review were (emphasis added):
- The last mod times of all the files in the cf.7z archive are all even multiples of two (2) seconds, indicating that this material was copied to a FAT-formatted media (e.g., a USB thumb drive) before the final cf.7z 7zip file was built from the files on that media.
- The last mod times in the CF files (dated 2016-07-05) appear to be one hour earlier than those recorded in the NGP/VAN files. The Forensicator proposes a scenario where a FAT-formatted media (e.g., USB thumb drive) was written while in a location where Central US time zone settings were in force. This FAT-formatted media was then transported to a location where Eastern US time zone settings were in force. There, the material on the thumb drive was copied to an NTFS-formatted hard drive and the final (cf.7z) 7zip file was built from this copy of the files present on the hard drive. The result of this long chain of events is a series of CF files that appear to be time stamped one hour earlier than those in the NGP/VAN archive.
This finding was controversial at the time, because it advanced the idea that Guccifer 2 (or a member of Guccifer 2’s team) was (physically) operating out of the Central Time Zone (US). Further, it suggested that a USB thumb drive may have been used to effect an “air gap” transfer (a technique used to avoid surveillance and detection).
Based on recent information, the case in favor of Forensicator’s findings has strengthened. We address this new development in this report.
The critical report was penned by Duncan Campbell; it was published in Computer Weekly (July 31, 2018). Mr. Campbell threw a wide net and pulled various people into his story of alleged pro-Kremlin conspiracy. Forensicator challenged Campbell’s hyperbolic claims in The Campbell Conspiracy. Forensicator’s proposed scenario mentioned above, in particular, rubbed Campbell the wrong way.
Campbell was unimpressed by Forensicator’s logic.
Rather than accept Forensicator’s reasoning (that was based on observed facts), Campbell proffers the idea that Guccifer 2 decremented the time stamps for no particular reason. In short, Campbell resorts to the “Guccifer 2 ate my homework” defense. Campbell’s argument is further weakened when (in the same article) he takes the opposite position for another Zip file that Guccifer 2 published (ngpvan.7z). There, he explained obscure patterns in the last modified times as being intentional.
New Evidence that Guccifer 2 May Have Operated within the Central Time Zone
Leidl’s Twitter thread focused on the metadata within the HRC_pass..zip [sic] file (we drop the extra “.” in this discussion). His main focus at the time was to use the high precision internal timestamps in order to calculate an accurate estimate for the transfer speed of the files recorded in the Zip file. Below, is an excerpt from his Twitter thread.
Some Zip Files Disclose the Timezone where they were Written
Leidl refers us to his GitHub gist, where he describes a pertinent discovery (emphasis added, below). Leidl analyzes information in Guccifer 2’s Zip file that indicates the file was likely written on a computer located in the Central Timezone.
Guccifer 2’s Emails also had Central Timezone Indications
By analyzing the email metadata, McIntyre concluded that Guccifer 2’s email was sent from a computer which had its timezone set to Central Time (US).
On the same day that he published the HRC_pass.zip file, Guccifer 2 also conducted an interview with Motherboard. In the interview, Guccifer 2 claimed that he was a lone Romanian hacker, but the journalists reached a different conclusion. Based on Guccifer 2’s poor fluency when writing in Romanian, they suggested that Guccifer 2 was more likely a Russian.
Guccifer 2’s Social Media Activity Also Implicates the Central Timezone
As we discussed in Guccifer 2’s Russian Breadcrumbs, when we analyze Guccifer 2’s Twitter activity and interactions with his WordPress.com site, we see indications that Guccifer 2 may have operated out of the Central timezone. Some researchers have suggested that Guccifer 2 may have managed his social media interactions to coincide with US working hours, which is certainly a possibility. We provide this analysis simply as another data point.
This Central Timezone Finding Strengthens Forensicator’s Hypothesis
Leidl’s discovery went generally unnoticed; however, it has relevance to Forensicator’s hypothesis that some/all of the files in the cf.7z archive file were copied to a thumb drive while located in the Central Timezone and then were subsequently copied back onto a system in the Eastern Timezone. That theory may have seemed tenuous at the time, but is looking more reasonable with this new evidence in hand. In his article, Campbell said “The obvious, simple explanation was that hackers were manipulating computer clock settings” and “the Forensicator came up with a comic and far-fetched explanation to avoid talking about clock tampering.” Taking this new evidence into consideration will Campbell reconsider and accept the idea that there might be other reasonable explanations for the observed fact pattern than simply, “Guccifer 2 ate my homework”?
To the degree that some theories we develop might suggest that Guccifer 2 had team members or help (physically) inside the US, we emphasize that our theories should be considered hypothetical. The DOJ indictment of July 13, 2018 accuses twelve (12) Russian GRU agents of being behind the Guccifer 2 persona. The indictment makes no mention that these agents may have received help within the confines of the United States. We note that indictments are not obligated to list all the facts in a case; there might be other information that hasn’t been disclosed publicly which would invalidate our theories or interpretations of the facts.