New Blockbuster Research Shows Guccifer 2.0 Files Were Copied Locally, Not Hacked

William Craddick's picture

Via Disobedient Media

New meta-analysis has emerged from a document published today by an independent researcher known as The Forensicator, which suggests that files eventually published by the Guccifer 2.0 persona were likely initially downloaded by a person with physical access to a computer possibly connected to the internal DNC network. The individual most likely used a USB drive to copy the information. The groundbreaking new analysis irrevocably destroys the Russian hacking narrative, and calls the actions of Crowdstrike and the DNC into question.

The document supplied to Disobedient Media via Adam Carter was authored by an individual known as The Forensicator. The full document referenced here has been published on their blog. Their analysis indicates the data was almost certainly not accessed initially by a remote hacker, much less one in Russia. If true, this analysis obliterates the Russian hacking narrative completely.

The Forensicator specifically discusses the data that was eventually published by Guccifer 2.0 under the title "NGP-VAN."  This should not be confused with the separate publication of the DNC emails by Wikileaks. This article focuses solely on evidence stemming from the files published by Guccifer 2.0, which were previously discussed in depth by Adam Carter.

Disobedient Media previously reported that Crowdstrike is the only group that has directly analyzed the DNC servers. Other groups including Threat Connect have used the information provided by Crowdstrike to claim that Russians hacked the DNC. However, their evaluation was based solely on information ultimately provided by Crowdstrike; this places the company in the unique position of being the only direct source of evidence that a hack occurred.

The group’s President Shawn Henry is a retired executive assistant director of the FBI while their co-founder and CTO, Dmitri Alperovitch, is a senior fellow at the Atlantic Council, which as we have reported, is linked to George Soros. Carter has stated on his website that “At present, it looks a LOT like Shawn Henry & Dmitri Alperovitch (CrowdStrike executives), working for either the HRC campaign or DNC leadership were very likely to have been behind the Guccifer 2.0 operation.” Carter’s website was described by Wikileaks as a useful source of primary information specifically regarding Guccifer 2.0.

Carter recently spoke to Disobedient Media, explaining that he had been contacted by The Forensicator, who had published a document which contained a detailed analysis of the data published by Guccifer 2.0 as  "NGP-VAN."

The document states that the files that eventually published as "NGP-VAN" by Guccifer 2.0 were first copied to a system located in the Eastern Time Zone, with this conclusion supported by the observation that "the .7z file times, after adjustment to East Coast time fall into the range of the file times in the .rar files." This constitutes the first of a number of points of analysis which suggests that the information eventually published by the Guccifer 2.0 persona was not obtained by a Russian hacker.

Image via The Forensicator Image via The Forensicator

The Forensicator stated in their analysis that a USB drive was most likely used to boot Linux OS onto a computer that either contained the alleged DNC files or had direct access to them. They also explained to us that in this situation one would simply plug a USB drive with the LinuxOS into a computer and reboot it; after restarting, the computer would boot from the USB drive and load Linux instead of its normal OS. A large amount of data would then be copied to this same USB drive.

In this case, additional files would have been copied en masse, to be "pruned" heavily at a later time when the 7zip archive now known as NGP-VAN was built. The Forensicator wrote that if 1.98 GB of data had been copied at a rate of 22.6 MB/s and time gaps t were noticed at the top level of the NGP-VAN 7zip file were attributed to additional file copying, then approximately 19.3 GB in total would have been copied. In this scenario, the 7zip archive (NGP-VAN) would represent only about 10% of the total amount of data that was collected.

The very small proportion of files eventually selected for use in the creation of the "NGP-VAN" files were later published by the creators of the Guccifer 2.0  persona. This point is especially significant, as it suggests the possibility that up to 90% of the information initially copied was never published.

The use of a USB drive would suggest that the person first accessing the data could not have been a Russian hacker. In this case, the person who copied the files must have physically interacted with a computer that had access to what Guccifer 2.0 called the DNC files. A less likely explanation for this data pattern where large time gaps were observed between top level files and directories
in the 7zip file, can be explained by the use of 'think time' to select and copy 1.9 GB of individual files, copied in small batches with think time interspersed. In either scenario, Linux would have been booted from a USB drive, which fundamentally necessitates physical access to a computer with the alleged DNC files.

The Forensicator believed that using the possible 'think-time' explanation to explain the time-gaps was a less likely explanation for the data pattern available, with a large amount of data most likely copied instantaneously,  later "pruned" in the production of the Guccifer 2.0's publication of the NGP-VAN files.

Both the most likely explanation and the less likely scenario provided by The Forensicator's analysis virtually exclude the possibility of a Russian or remote hacker gaining external access to the files later published as "NGP-VAN."  In both cases,  the physical presence of a person accessing a containing DNC information would be required.

Importantly, The Forensicator concluded that the chance that the files had been accessed and downloaded remotely over the internet were too small to give this idea any serious consideration. He explained that the calculated transfer speeds for the initial copy were much faster than can be supported by an internet connection. This is extremely significant and completely discredits allegations of Russian hacking made by both Guccifer 2.0 and Crowdstrike.

This conclusion is further supported by analysis of the overall transfer rate of 23 MB/s. The Forensicator described this as "possible when copying over a LAN, but too fast to support the hypothetical scenario that the alleged DNC data was initially copied over the Internet (esp. to Romania)." Guccifer 2.0 had claimed to originate in Romania. So in other words, this rate indicates that the data was downloaded locally,  possibly using the local DNC network. The importance of this finding in regards to destroying the Russian hacking narrative cannot be overstated.

If the data is correct, then the files could not have been copied over a remote connection and so therefore cannot have been "hacked by Russia."

The use of a USB drive would also strongly suggest that the person copying the files had physical access to a computer most likely connected to the local DNC network. Indications that the individual used a USB drive to access the information over an internal connection, with time stamps placing the creation of the copies in the East Coast Time Zone, suggest that  the individual responsible for initially copying what was eventually published by the Guccifer 2.0 persona under the title "NGP-VAN"  was located in the Eastern United States, not Russia.

The implications of The Forensicator's analysis in combination with Adam Carter's work, suggest that at the very least, the Russian hacking narrative is patently false. Adam Carter has a strong grasp on the NGP-VAN files and Guccifer 2.0, with his website on the subject called a "good source" by Wikileaks via twitter. Carter told Disobedient Media that in his opinion the analysis provided by The Forensicator was accurate, but added that if changes are made to the work in future, any new conclusions would require further vetting.

On the heels of recent retractions by legacy media outlets like CNN and The New York Times, this could have serious consequences, if months of investigation into the matter by authorities are proven to have been based on gross misinformation based solely on the false word of Crowdstrike.

Assange recently lamented widespread ignorance about the DNC Leak via Twitter, specifically naming Hillary Clinton, the DNC, the Whitehouse and mainstream media as having “reason” to suppress the truth of the matter. As one of the only individuals who would have been aware of the source of the DNC Leaks, Assange’s statement corroborates a scenario where the DNC and parties described in Adam Carter's work likely to have included Crowdstrike, may have participated in “suppressing knowledge" of the true origins and evidence surrounding the leak of the DNC emails by confusing them with the publication of the Guccifer 2.0 persona.

Despite Guccifer 2.0's conflicting reports of having both been a Russian hacker and having contact with Seth Rich, the work of The Forensicator indicates that neither of these scenarios is likely true. What is suggested is that the files now known as "NGP-VAN" were copied by someone with access to a system connected to the DNC internal network, and that this action had no bearing on the files submitted to Wikileaks and were most likely unassociated with Seth Rich, and definitively not remotely "hacked" from Russia.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Reaper's picture

If CIA can hide its tracks, Putin's agencies can too = no proof can be obtained. Thus Russian hacking, like warming, becomes proven by the number and strength of the emoting by true believers.

silverer's picture

I'm sure this will be on CNN for at least a week, and discussed frequently over the next couple of months. Oh wait...

Dumpster Elite's picture

Headlines at CNN: "Were the Russians behind the effort to say that the Russians were not involved in hacking the DNC files??? Some say YES."

seataka's picture

Wonderful news
But for 'true believers'  this will be like telling Tom Cruise that Hubbard was a Hypnotist and a LIAR and got an "F" in Physics
What do 911, Russian Hacking, Flat Earth and SCIENTOLOGY all have in common?




Ban KKiller's picture

It's all rigged with known unknowns and DNC leakers? The fact that the DNC wouldn't and didn't hand over their servers says it all. Ha ha ha ha.

We had FBI come over and remove our hard drive. They brought it back in two days and in four days they WROTE back to say that our books were clean. No evidence of collusion with drug dealers buying cars for cash over ten K. Ha ha ha ha. Point is, they were fast! Corrupt DNC? Oh right. A given.

DisorderlyConduct's picture

The Metadata can be altered manually. If i had lifted the docs I would have zeroed it all out. The transfer rate analysis is compelling. What hacker is going to suffer a day of transfer and risk exposure - you have to be picky when shipping data over a slow link.

While interesting, this analysis actually proves nothing. What it hints at points us to a cold case that will never be solved. His name was - you know...

DuneCreature's picture

***)) One Eyed Pirate Mueller Has Assembled His Boarding Party ((***

Ok, Trumpeters get ready for a boarding attempt over the starboard rail.

One Eyed Mueller and his raiders are rowing toward the ship right now and One Eye is issuing last minute instructions and assigning objectives to his assault team ace marauders and team leaders.

These raiders are out for blood, booty and extreme embarrassment so rally around your captain if you dare or care.

The rest of us are going to make some popcorn, melt some Keigold and maybe roll out a fresh barrel of grog and pound in a tap.

This raiding party looks a lot like the Clinton Satan Foundation legal staff. ....... I told Donald he would regret not throwing the evil lying witch in jail. ... Now she's funding the assault on his ship like a big sore loser. ....... Meanwhile, John The Molesta is out burying booty and treasure just in case things get ugly and the Satan Foundation raiders have to retreat to somewhere and lick each other's wounds.

The impeachment team is the who's who of anyone and everyone with a personal reason to make Trump 'Wank The Plank' (tm) and resign.

Send the squeamish and faint of heart below. ..... This story of DC intrigue is about to grow some hair on it.

Live Hard, Oh Look!.. There's Slippery And Cagey Putting On Their Full Body 'Blanket Immunity' Suits Of Armor,...It Gets Really Hot And Stuffy Wearing All That Metal Into Battle. .... I Hope They Both Get Thrown Overboard In Their Heavy Iron Clown Shirts and Shin Gaurds, Myself, Die Free

~ DC v7.3

apberusdisvet's picture

It would appear that the DOJ and FBI are totally controlled by the swamp.  A good house cleaning is needed; does Session have the balls to do it?

LyLo's picture

Various 4chan autists seem to be of the belief that "Guccifer 2.0" is, in fact, the DNC staging a leak.  Which would totally align with this new information, unlike most other running theories (Rich aside).  (Not necessarily endorsing, just wanted to throw that out there.)

John C Durham's picture

One year later. Duh. It was the young man killed shortly after the leak last summer. Remember him?

Julian offered $20,000 reward for information of his death, because one of WikiLeaks partners took the thumb drive directly from Seth Rich in Washington DC.

The full story was printed in the London press. Ironic because (the City of) London has long been the center for everything evil in the West. MI6/5 control our CIA/NSA since Truman.

It does look like, with yesterday's Comey expose in the Hill, that everything is going to come out. The Democratic Party is toast. And, so will soon the CIA/NSA be also. Big changes at the FBI I would expect, also.

CIA/NSA work should be directly under the Military and the FBI directly under the President.

r0mulus's picture

This is a hugely important story! The forensicator report- linked in the version hosted on disobedient media- is a fantastic analysis to read. I strongly recommend you all click through to peruse it!

Anyways though, the significance of this information should not be understated: CrowdStrike is clearly lying or incompetent, and it begs the question as to why the FBI trusted them to conduct their own investigation. Isn't that what the FBI is supposed to do?

Files copied 7/5 and SR perishes 7/10. This story reaks to high heaven.
It's unbelievable the amount of resistance you will find trying to talk to any center-left msm dems about this...

J04NNY8's picture

Incompetence... everywhere.  Natural or deliberate, that's the question, right?  Before going further let me say I have a history of voting conservative D - not mid-sixties post-LBJ, a little later.  I was struck by a couple of things by the article though, first that it appears to be the first and only entry on a site with little to no attribution.  Why is this?

Second, the thought processes though good are not complete enough.  To offer possible answers like transfer times to preclude actors by geography for example.  Russian hackers only live in Russia; can't work as office cleaning staff in US buildings?

I applaud the effort made to analyse the information.  Knowing more of the 'how' is something we've needed. I just wish there were a little more light shed on the presenter. 

PT's picture

I'm so glad the Dems didn't get in.  They were full on compromised.  Why, the Russians had totally hacked their server and they didn't even know it until after the Don got in.


... errr, that, of course, assumes that I believe the Russians hacked.  Just another angle of attack...

Eek!  Now the Russkies have all that classified information that Hillary grossly negligently left lying around on her server, or did that info never make its way to the DNC network?

I'm so glad Trump got in.  Otherwise we never would have learnt the extent to which the Russkies had infiltrated the US already!  I think he should stay in while he sorts this mess out.  We can't afford to have Dems anywhere near Classified info or nuclear secrets as long as they have leaky, compromised, Russian-hacked servers.  When is the DNC going to hire some better IT people to make sure the hacking stops?  How will they ever know the hacking has stopped?  They didn't know last time until it was too late.  We should thank both Trump and Putin for bringing this vulnerability to the attention of the public.  Who knows what could have happened if HRC got in and we never found out?!!!!

SillySalesmanQuestion's picture

Hey DNC. Let's talk a little more about NGP/VAN, synched Blackberry phones and a lot less about how "the Russians did it."

PT's picture

But the Russians ate my homework.
Then they hacked my credit card and spent all the money on strippers.  Honest honey!  You gotta believe me!!!
Then they hacked my car so it wouldn't start and made me late to work.

Arnold's picture

He was Seth Rich.

And Podesta the Molesta?
And his little dog Brock, too.

Redistribution Of Relevance's picture

His Name Was Seth Rich, and he died ONE YEAR AGO TODAY. Here are 6 FACTS that point to assassination, not "botched robbery". Make his killers REGRET his death.


Arnold's picture

"On the heels of recent retractions by legacy media outlets like CNN and The New York Times, this could have serious consequences, if months of investigation into the matter by authorities are proven to have been based on gross misinformation based solely on the false word of Crowdstrike."

By March 23, CrowdStrike would scale back some of the claims about the extent of the damage caused by the malware, but stood by its core claims about Russian sources of the hacking.[23]

mc888's picture

Crowdstrike = Ukrainian hackers/forgers on ClintonBux payroll, with a motive to implicate Russia.

This was ACTUAL collusion with a foreign 'power' (and I use the term loosely) installed by Obamunist regime coup of Ukraine.

PrivetHedge's picture

CrowdStrike are therefore proven to be either incompetent or liars.

Neither being a perticularly good advert.

Arnold's picture

An AWAN Brothers subsidiary.

Got The Wrong No's picture

Where is that DNC Server???  

Antivenom's picture

DNC SERVER was destroyed. And all lap tops were rounded up and wiped...but we know there is a laptop that was in Antwan's possession that was hidden in a crevice, that was retrieved by DC polic from the secret crevice. The laptop that Debbie Wasserman Shultz is quite hysterical over, and threatened the police about.

I think the laptop, that is in the police possession, is the missing link, that is tying everything together. It likely didn't get wiped, has the evidence that ties the cover up together.

From the NYT December 2016...

In the six weeks after CrowdStrike’s arrival, in total secrecy, the computer system at the D.N.C. was replaced. For a weekend, email and phones were shut off; employees were told it was a system upgrade. All laptops were turned in and the hard drives wiped clean, with the uninfected information on them imaged to new drives.

New_Meat's picture

If you keep wiping with new, improve, Formula 409, soon enough all of the atoms are wiped away.

The new product name was reportedly "Bulkhead Remover".

The lab is now working on the missing human flesh problem, a troubling outcome from the base use case.

virgule's picture

If the data in the above report is accurate, then a lot of FBI and related investigative personnel are going to look like fools - this is a very basic & simple examination of the meta-data. So....what were they doing all this while?

oncemore's picture

It is basic but not simple.

I do have an excellent linux knowledge, but would have to pass with M$ windoze

The analyst is very good. Too god.

I suspect an infight at cia or nsa and this is the limited hangout.

garcam123's picture

My best guess is jackin eash other off!