Guccifer 2.0 - Forensic Analysis/Findings

Moderators: Elvis, DrVolin, Jeff

Re: Guccifer 2.0 - Forensic Analysis/Findings

Postby alloneword » Fri Mar 22, 2019 12:25 pm

Did anyone catch the latest 'VIPS Memo' on the subject? ... -findings/

I'll dump it here in full...

The final Mueller report should be graded “incomplete,” says VIPS, whose forensic work proves the speciousness of the story that DNC emails published by WikiLeaks came from Russian hacking.

March 13, 2019
MEMORANDUM FOR: The Attorney General
FROM: Veteran Intelligence Professionals for Sanity (VIPS)
SUBJECT: Mueller’s Forensics-Free Findings

Executive Summary

Media reports are predicting that Special Counsel Robert Mueller is about to give you the findings of his probe into any links and/or coordination between the Russian government and individuals associated with the campaign of President Donald Trump. If Mueller gives you his “completed” report anytime soon, it should be graded “incomplete.” Major deficiencies include depending on a DNC-hired cybersecurity company for forensics and failure to consult with those who have done original forensic work, including us and the independent forensic investigators with whom we have examined the data. We stand ready to help.

We veteran intelligence professionals (VIPS) have done enough detailed forensic work to prove the speciousness of the prevailing story that the DNC emails published by WikiLeaks came from Russian hacking. Given the paucity of evidence to support that story, we believe Mueller may choose to finesse this key issue and leave everyone hanging. That would help sustain the widespread belief that Trump owes his victory to President Vladimir Putin, and strengthen the hand of those who pay little heed to the unpredictable consequences of an increase in tensions with nuclear-armed Russia.

There is an overabundance of “assessments” but a lack of hard evidence to support that prevailing narrative. We believe that there are enough people of integrity in the Department of Justice to prevent the outright manufacture or distortion of “evidence,” particularly if they become aware that experienced scientists have completed independent forensic study that yield very different conclusions. We know only too well — and did our best to expose — how our former colleagues in the intelligence community manufactured fraudulent “evidence” of weapons of mass destruction in Iraq.

We have scrutinized publicly available physical data — the “trail” that every cyber operation leaves behind. And we have had support from highly experienced independent forensic investigators who, like us, have no axes to grind. We can prove that the conventional-wisdom story about Russian-hacking-DNC-emails-for-WikiLeaks is false. Drawing largely on the unique expertise of two VIPS scientists who worked for a combined total of 70 years at the National Security Agency and became Technical Directors there, we have regularly published our findings. But we have been deprived of a hearing in mainstream media — an experience painfully reminiscent of what we had to endure when we exposed the corruption of intelligence before the attack on Iraq 16 years ago.

This time, with the principles of physics and forensic science to rely on, we are able to adduce solid evidence exposing mistakes and distortions in the dominant story. We offer you below — as a kind of aide-memoire— a discussion of some of the key factors related to what has become known as “Russia-gate.” And we include our most recent findings drawn from forensic work on data associated with WikiLeaks’ publication of the DNC emails.

We do not claim our conclusions are “irrefutable and undeniable,” a la Colin Powell at the UN before the Iraq war. Our judgments, however, are based on the scientific method — not “assessments.” We decided to put this memorandum together in hopes of ensuring that you hear that directly from us.

If the Mueller team remains reluctant to review our work — or even to interview willing witnesses with direct knowledge, like WikiLeaks’ Julian Assange and former UK Ambassador Craig Murray, we fear that many of those yearning earnestly for the truth on Russia-gate will come to the corrosive conclusion that the Mueller investigation was a sham.

In sum, we are concerned that, at this point, an incomplete Mueller report will fall far short of the commitment made by then Acting Attorney General Rod Rosenstein “to ensure a full and thorough investigation,” when he appointed Mueller in May 2017. Again, we are at your disposal.


The centerpiece accusation of Kremlin “interference” in the 2016 presidential election was the charge that Russia hacked Democratic National Committee emails and gave them to WikiLeaks to embarrass Secretary Hillary Clinton and help Mr. Trump win. The weeks following the election witnessed multiple leak-based media allegations to that effect. These culminated on January 6, 2017 in an evidence-light, rump report misleadingly labeled “Intelligence Community Assessment (ICA).” Prepared by “handpicked analysts” from only three of the 17 U.S. intelligence agencies (CIA, FBI, and NSA), the assessment expressed “high confidence” in the Russia-hacking-to-WikiLeaks story, but lacked so much as a hint that the authors had sought access to independent forensics to support their “assessment.”

The media immediately awarded the ICA the status of Holy Writ, choosing to overlook an assortment of banal, full-disclosure-type caveats included in the assessment itself — such as:

“When Intelligence Community analysts use words such as ‘we assess’ or ‘we judge,’ they are conveying an analytic assessment or judgment. …Judgments are not intended to imply that we have proof that shows something to be a fact. … Assessments are based on collected information, which is often incomplete or fragmentary … High confidence in a judgment does not imply that the assessment is a fact or a certainty; such judgments might be wrong.”

To their credit, however, the authors of the ICA did make a highly germane point in introductory remarks on “cyber incident attribution.“ They noted: “The nature of cyberspace makes attribution of cyber operations difficult but not impossible. Every kind of cyber operation — malicious or not — leaves a trail.” [Emphasis added.]


The imperative is to get on that “trail” — and quickly, before red herrings can be swept across it. The best way to establish attribution is to apply the methodology and processes of forensic science. Intrusions into computers leave behind discernible physical data that can be examined scientifically by forensic experts. Risk to “sources and methods” is normally not a problem.
Direct access to the actual computers is the first requirement — the more so when an intrusion is termed “an act of war” and blamed on a nuclear-armed foreign government (the words used by the late Sen. John McCain and other senior officials). In testimony to the House Intelligence Committee in March 2017, former FBI Director James Comey admitted that he did not insist on physical access to the DNC computers even though, as he conceded, “best practices” dictate direct access.

In June 2017, Senate Intelligence Committee Chair Richard Burr asked Comey whether he ever had “access to the actual hardware that was hacked.” Comey answered, “In the case of the DNC … we did not have access to the devices themselves. We got relevant forensic information from a private party, a high-class entity, that had done the work. …” Sen. Burr followed up: “But no content? Isn’t content an important part of the forensics from a counterintelligence standpoint?” Comey: “It is, although what was briefed to me by my folks … is that they had gotten the information from the private party that they needed to understand the intrusion by the spring of 2016.”

The “private party/high-class entity” to which Comey refers is CrowdStrike, a cybersecurity firm of checkered reputation and multiple conflicts of interest, including very close ties to a number of key anti-Russian organizations. Comey indicated that the DNC hired CrowdStrike in the spring of 2016.

Given the stakes involved in the Russia-gate investigation – including a possible impeachment battle and greatly increased tension between Russia and the U.S. — it is difficult to understand why Comey did not move quickly to seize the computer hardware so the FBI could perform an independent examination of what quickly became the major predicate for investigating election interference by Russia. Fortunately, enough data remain on the forensic “trail” to arrive at evidence-anchored conclusions. The work we have done shows the prevailing narrative to be false. We have been suggesting this for over two years. Recent forensic work significantly strengthens that conclusion.

We Do Forensics

Recent forensic examination of the Wikileaks DNC files shows they were created on 23, 25 and 26 May 2016. (On June 12, Julian Assange announced he had them; WikiLeaks published them on July 22.) We recently discovered that the files reveal a FAT (File Allocation Table) system property. This shows that the data had been transferred to an external storage device, such as a thumb drive, before WikiLeaks posted them.

FAT is a simple file system named for its method of organization, the File Allocation Table. It is used for storage only and is not related to internet transfers like hacking. Were WikiLeaks to have received the DNC files via a hack, the last modified times on the files would be a random mixture of odd-and even-ending numbers.

Why is that important? The evidence lies in the “last modified” time stamps on the Wikileaks files. When a file is stored under the FAT file system the software rounds the time to the nearest even-numbered second. Every single one of the time stamps in the DNC files on WikiLeaks’ site ends in an even number.

We have examined 500 DNC email files stored on the Wikileaks site. All 500 files end in an even number—2, 4, 6, 8 or 0. If those files had been hacked over the Internet, there would be an equal probability of the time stamp ending in an odd number. The random probability that FAT was not used is 1 chance in 2 to the 500th power. Thus, these data show that the DNC emails posted by WikiLeaks went through a storage device, like a thumb drive, and were physically moved before Wikileaks posted the emails on the World Wide Web.

This finding alone is enough to raise reasonable doubts, for example, about Mueller’s indictment of 12 Russian intelligence officers for hacking the DNC emails given to WikiLeaks. A defense attorney could easily use the forensics to argue that someone copied the DNC files to a storage device like a USB thumb drive and got them physically to WikiLeaks — not electronically via a hack.

Role of NSA

For more than two years, we strongly suspected that the DNC emails were copied/leaked in that way, not hacked. And we said so. We remain intrigued by the apparent failure of NSA’s dragnet, collect-it-all approach — including “cast-iron” coverage of WikiLeaks — to provide forensic evidence (as opposed to “assessments”) as to how the DNC emails got to WikiLeaks and who sent them. Well before the telling evidence drawn from the use of FAT, other technical evidence led us to conclude that the DNC emails were not hacked over the network, but rather physically moved over, say, the Atlantic Ocean.

Is it possible that NSA has not yet been asked to produce the collected packets of DNC email data claimed to have been hacked by Russia? Surely, this should be done before Mueller competes his investigation. NSA has taps on all the transoceanic cables leaving the U.S. and would almost certainly have such packets if they exist. (The detailed slides released by Edward Snowden actually show the routes that trace the packets.)

The forensics we examined shed no direct light on who may have been behind the leak. The only thing we know for sure is that the person had to have direct access to the DNC computers or servers in order to copy the emails. The apparent lack of evidence from the most likely source, NSA, regarding a hack may help explain the FBI’s curious preference for forensic data from CrowdStrike. No less puzzling is why Comey would choose to call CrowdStrike a “high-class entity.”

Comey was one of the intelligence chiefs briefing President Obama on January 5, 2017 on the “Intelligence Community Assessment,” which was then briefed to President-elect Trump and published the following day. That Obama found a key part of the ICA narrative less than persuasive became clear at his last press conference (January 18), when he told the media, “The conclusions of the intelligence community with respect to the Russian hacking were not conclusive … as to how ‘the DNC emails that were leaked’ got to WikiLeaks.

Is Guccifer 2.0 a Fraud?

There is further compelling technical evidence that undermines the claim that the DNC emails were downloaded over the internet as a result of a spearphishing attack. William Binney, one of VIPS’ two former Technical Directors at NSA, along with other former intelligence community experts, examined files posted by Guccifer 2.0 and discovered that those files could not have been downloaded over the internet. It is a simple matter of mathematics and physics.

There was a flurry of activity after Julian Assange announced on June 12, 2016: “We have emails relating to Hillary Clinton which are pending publication.” On June 14, DNC contractor CrowdStrike announced that malware was found on the DNC server and claimed there was evidence it was injected by Russians. On June 15, the Guccifer 2.0 persona emerged on the public stage, affirmed the DNC statement, claimed to be responsible for hacking the DNC, claimed to be a WikiLeaks source, and posted a document that forensics show was synthetically tainted with “Russian fingerprints.”

Our suspicions about the Guccifer 2.0 persona grew when G-2 claimed responsibility for a “hack” of the DNC on July 5, 2016, which released DNC data that was rather bland compared to what WikiLeaks published 17 days later (showing how the DNC had tipped the primary scales against Sen. Bernie Sanders). As VIPS reported in a wrap-up Memorandum for the President on July 24, 2017 (titled “Intel Vets Challenge ‘Russia Hack’ Evidence),” forensic examination of the July 5, 2016 cyber intrusion into the DNC showed it NOT to be a hack by the Russians or by anyone else, but rather a copy onto an external storage device. It seemed a good guess that the July 5 intrusion was a contrivance to preemptively taint anything WikiLeaks might later publish from the DNC, by “showing” it came from a “Russian hack.” WikiLeaks published the DNC emails on July 22, three days before the Democratic convention.

As we prepared our July 24 memo for the President, we chose to begin by taking Guccifer 2.0 at face value; i. e., that the documents he posted on July 5, 2016 were obtained via a hack over the Internet. Binney conducted a forensic examination of the metadata contained in the posted documents and compared that metadata with the known capacity of Internet connection speeds at the time in the U.S. This analysis showed a transfer rate as high as 49.1 megabytes per second, which is much faster than was possible from a remote online Internet connection. The 49.1 megabytes speed coincided, though, with the rate that copying onto a thumb drive could accommodate.

Binney, assisted by colleagues with relevant technical expertise, then extended the examination and ran various forensic tests from the U.S. to the Netherlands, Albania, Belgrade and the UK. The fastest Internet rate obtained — from a data center in New Jersey to a data center in the UK — was 12 megabytes per second, which is less than a fourth of the capacity typical of a copy onto a thumb drive.
The findings from the examination of the Guccifer 2.0 data and the WikiLeaks data does not indicate who copied the information to an external storage device (probably a thumb drive). But our examination does disprove that G.2 hacked into the DNC on July 5, 2016. Forensic evidence for the Guccifer 2.0 data adds to other evidence that the DNC emails were not taken by an internet spearphishing attack. The data breach was local. The emails were copied from the network.

Presidential Interest

After VIPS’ July 24, 2017 Memorandum for the President, Binney, one of its principal authors, was invited to share his insights with Mike Pompeo, CIA Director at the time. When Binney arrived in Pompeo’s office at CIA Headquarters on October 24, 2017 for an hour-long discussion, the director made no secret of the reason for the invitation: “You are here because the President told me that if I really wanted to know about Russian hacking I needed to talk with you.”

Binney warned Pompeo — to stares of incredulity — that his people should stop lying about the Russian hacking. Binney then started to explain the VIPS findings that had caught President Trump’s attention. Pompeo asked Binney if he would talk to the FBI and NSA. Binney agreed, but has not been contacted by those agencies. With that, Pompeo had done what the President asked. There was no follow-up.

Confronting James Clapper on Forensics

We, the hoi polloi,do not often get a chance to talk to people like Pompeo — and still less to the former intelligence chiefs who are the leading purveyors of the prevailing Russia-gate narrative. An exception came on November 13, when former National Intelligence Director James Clapper came to the Carnegie Endowment in Washington to hawk his memoir. Answering a question during the Q&A about Russian “hacking” and NSA, Clapper said:

“Well, I have talked with NSA a lot … And in my mind, I spent a lot of time in the SIGINT business, the forensic evidence was overwhelming about what the Russians had done. There’s absolutely no doubt in my mind whatsoever.” [Emphasis added]

Clapper added: “… as a private citizen, understanding the magnitude of what the Russians did and the number of citizens in our country they reached and the different mechanisms that, by which they reached them, to me it stretches credulity to think they didn’t have a profound impact on election on the outcome of the election.”

(A transcript of the interesting Q&A can be found here and a commentary on Clapper’s performance at Carnegie, as well as on his longstanding lack of credibility, is here.)
Normally soft-spoken Ron Wyden, Democratic senator from Oregon, lost his patience with Clapper last week when he learned that Clapper is still denying that he lied to the Senate Intelligence Committee about the extent of NSA surveillance of U.S. citizens. In an unusual outburst, Wyden said: “James Clapper needs to stop making excuses for lying to the American people about mass surveillance. To be clear: I sent him the question in advance. I asked him to correct the record afterward. He chose to let the lie stand.”

The materials brought out by Edward Snowden in June 2013 showed Clapper to have lied under oath to the committee on March 12, 2013; he was, nevertheless, allowed to stay on as Director of National Intelligence for three and half more years. Clapper fancies himself an expert on Russia, telling Meet the Presson May 28, 2017 that Russia’s history shows that Russians are “typically, almost genetically driven to co-opt, penetrate, gain favor, whatever.”

Clapper ought to be asked about the “forensics” he said were “overwhelming about what the Russians had done.” And that, too, before Mueller completes his investigation.

For the steering group, Veteran Intelligence Professionals for Sanity:

William Binney, former NSA Technical Director for World Geopolitical & Military Analysis; Co-founder of NSA’s Signals Intelligence Automation Research Center (ret.)
Richard H. Black, Senator of Virginia, 13th District; Colonel US Army (ret.); Former Chief, Criminal Law Division, Office of the Judge Advocate General, the Pentagon (associate VIPS)
Bogdan Dzakovic, former Team Leader of Federal Air Marshals and Red Team, FAA Security (ret.) (associate VIPS)
Philip Giraldi, CIA, Operations Officer (ret.)
Mike Gravel, former Adjutant, top secret control officer, Communications Intelligence Service; special agent of the Counter Intelligence Corps and former United States Senator
James George Jatras, former U.S. diplomat and former foreign policy adviser to Senate leadership (Associate VIPS)
Larry C. Johnson, former CIA and State Department Counter Terrorism officer
John Kiriakou, former CIA Counterterrorism Officer and former senior investigator, Senate Foreign Relations Committee
Karen Kwiatkowski, former Lt. Col., US Air Force (ret.), at Office of Secretary of Defense watching the manufacture of lies on Iraq, 2001-2003
Edward Loomis, Cryptologic Computer Scientist, former Technical Director at NSA (ret.)
David MacMichael, Ph.D., former senior estimates officer, National Intelligence Council (ret.)
Ray McGovern, former US Army infantry/intelligence officer & CIA analyst; CIA Presidential briefer (ret.)
Elizabeth Murray, former Deputy National Intelligence Officer for the Near East, National Intelligence Council & CIA political analyst (ret.)
Todd E. Pierce, MAJ, US Army Judge Advocate (ret.)
Peter Van Buren, US Department of State, Foreign Service Officer (ret.) (associate VIPS)
Sarah G. Wilton, CDR, USNR, (ret.); Defense Intelligence Agency (ret.)
Kirk Wiebe, former Senior Analyst, SIGINT Automation Research Center, NSA
Ann Wright, retired U.S. Army reserve colonel and former U.S. diplomat who resigned in 2003 in opposition to the Iraq War

Veteran Intelligence Professionals for Sanity (VIPS) is made up of former intelligence officers, diplomats, military officers and congressional staffers. The organization, founded in 2002, was among the first critics of Washington’s justifications for launching a war against Iraq. VIPS advocates a US foreign and national security policy based on genuine national interests rather than contrived threats promoted for largely political reasons. An archive of VIPS memoranda is available at

Their finding regarding the even-numbered 'seconds' of the file creation times being indicative of the use of a USB stick/drive is spot on: ... IR_OFS_0Eh

Create time (since DOS 7.0 with VFAT). The hour, minute and second are encoded according to the following bitmap:

Bits Description
15-11 Hours (0-23)
10-5 Minutes (0-59)
4-0 Seconds/2 (0-29)

The seconds is recorded only to a 2 second resolution.

(my emph.)

USB stick = 'Leak', not 'hack'.

The comments on the above are interesting... one stands out in particular:

March 17, 2019 at 15:28

I’ve touched on this matter in some comments I’ve already left in response to several posts by others, but here I want to outline what Craig Murray has actually claimed in his interview with Scott Horton. If this interview were more widely known, several points of confusion would be cleared up. Here I will summarize the key contents of that interview, and also summarize what we have reason to believe about the identities of the WikiLeaks leakers and Guccifer 2 from this and a few other sources.

See: “December 13, 2016 – Craig Murray: DNC, Podesta emails leaked, not hacked – Episode 4328”:

I summarize the key points as follows:

1. Murray asserts that the DNC leak and the Podesta leak involved two entirely different sources.

2. Murray flatly asserts that in both cases the leaks were “by Americans” who had access to the information they leaked as part of their jobs.

3. Murray flatly asserts that Guccifer 2.0 was not the source in either case.

4. The person he met in Washington was clearly the Podesta leaker.

5. Murray says this meeting occurred after the Podesta material was already safely with WikiLeaks.

6. Murray insinuates rather plainly that the person was involved (within American intelligence or law enforcement) in monitoring John Podesta’s communications as a registered and paid lobbyist for Saudi Arabia.

7. Murray suggests that the answer to the question “was the leaker someone from intelligence/law enforcement, or was the leaker someone from the Democratic Party/DNC?” that the answer will be different in the two cases – which, given points (1) and (6), implies that the DNC leak was from a Democratic insider.

8. Murray says that Julian Assange’s statement about Seth Rich reflects concern that Rich may have been killed on orders of someone who _thought_ he was the leaker – whether correctly or incorrectly. Thus Murray does not deny that Seth Rich was the DNC leaker but also avoids confirming it. We must still assume _some_ rational basis for so thinking on the part of Rich’s possible killers is being implied by Assange – such as knowledge that Rich had been in touch with WikiLeaks.

9. Turning to other sources of information, it is clear that Murray’s meeting in Washington with the Podesta leaker will have occurred after he left the Sam Adams Award for Integrity in Intelligence banquet early in order to do so. (In other interviews which I haven’t kept track of, Scott Horton says that two other people he’s interviewed (Phil Giraldi and Ray McGovern?) were there at the banquet and witnessed Murray leave early.) This was on September 25, 2016.

10. In video extracted in the course of Bill Binney’s recent interview with Jason Goodman, Murray says that the purpose of the meeting was “administrative” only. He says that “even whistleblowers have administration and bureaucracy.” He says “I never in my life met Seth Rich, and he, of course, had sadly been murdered some months before the occasion on which I was there meeting someone.”

In this latter interview with Binney, Binney reveals “the people I know, they have at least two other avenues of information coming to them that verify what Seth [sic – clearly Sy Hersh, the recording of whom regarding Seth Rich he had just referred to] said about the FBI having the data on Seth Rich’s computer, where he contacted WikiLeaks and transferred some data and wanted money for the rest of the data. I don’t think that’s publicly known yet.” See:

So, summarizing the available information pertaining to the three sources of information (DNC, Podesta and G-2):

We have Julian Assange implying that Seth Rich’s killers would have had reason to suspect a connection between Seth Rich and WikiLeaks.

We have Ambassador Murray claiming to know that both the DNC and Podesta leaks were “by Americans”, implying that the DNC leak was by a Democratic insider, and implying the same thing regarding Seth Rich as Assange does (without actually confirming that such suspicions were fully correct).

We have file-sharing entrepreneur Kim Dotcom claiming that he himself was involved with Seth Rich in the DNC leak, further indicating that he had been in communication with Rich since 2014, and offering to testify in detail to American investigators given assurances against prosecution.

We have Sy Hersh attesting to the existence of FBI knowledge from Seth Rich’s computer implicating Seth Rich in the DNC leak. And now we have Bill Binney saying Hersh’s information has been independently confirmed by people he knows.

We have Ed Butowski claiming that his source who had contacted him after returning from London revealed to him that Seth Rich had been responsible for the WikiLeaks DNC leak along with his brother Aaron, that Seth Rich’s parents at first privately acknowledged this, that Seth had downloaded the emails to a $56 Western Digital hard drive, transferred the trove to WikiLeaks on or about June 23, 2016, and been paid some $48,000 by WikiLeaks.

Murray strongly hints that the person responsible for the Podesta leak was an American intelligence or law enforcement insider. Steve Pieczenik strikes me as someone who’s testimony must be treated with caution. But it must be pointed out that in his (admittedly rather strange in some respects) Youtube video of November 1, 1016, Pieczenik claims that the Podesta leaker was an associate of his in American intelligence or law enforcement. Thus, Murray’s and Pieczenik’s statements are in agreement on this point.

Binney and Johnson’s finding that whereas the WikiLeaks DNC files show FAT formatting, the WikiLeaks Podesta files do not. This is consistent with Murray’s claim that there were two independent sources involved.

Binney has suggested (without claiming to know for sure) that the Guccifer 2 persona was part of a CIA disinformation effort in which Brennan had a hand. The illicit Sy Hersh recording has him also referring to a Brennan disinformation op.

Personally, I think that the Vault 7 revelations about the CIA’s ability to engage in hacks while leaving signs that would cause attribution to others is a red herring. The timing alone suggests hasty responses to Julian Assange’s announcement were involved in the June 14 WP story and the June 15 debut of G-2. There need have been no real hack involved in that case either – as the VIPS’ previous download speed study suggests. The forensics of the first documents released by G-2 – as developed by The Forensicator and Adam Carter – suggest methods of creating the “Russian fingerprints” in the first G-2 were different and less sophisticated.

Comey has testified that “we think they [the Russians] used cutouts of some kind” (or similar wording) to transfer the material to WikiLeaks. This may be as close as he’ll come to admitting that he knows the identities of the real leakers, and also about the Guccifer 2 deception operation used as cover. Note he didn’t say that Guccifer 2 was such a cutout.

(edit: Fix links)
Last edited by alloneword on Fri Mar 22, 2019 6:38 pm, edited 1 time in total.
User avatar
Posts: 633
Joined: Mon Jan 22, 2007 9:19 am
Location: UK
Blog: View Blog (0)

Re: Guccifer 2.0 - Forensic Analysis/Findings

Postby Elvis » Fri Mar 22, 2019 1:40 pm

Solid stuff from VIPS, thanks for posting.

norumbega commented:
8. Murray says that Julian Assange’s statement about Seth Rich reflects concern that Rich may have been killed on orders of someone who _thought_ he was the leaker – whether correctly or incorrectly.

and I thought of this:
JP email - make example - 3.png
You do not have the required permissions to view the files attached to this post.
"Frankly, I don't think it's a good idea but the sums proposed are enormous."
User avatar
Posts: 6595
Joined: Fri Apr 11, 2008 7:24 pm
Blog: View Blog (0)

Re: Guccifer 2.0 - Forensic Analysis/Findings

Postby Marionumber1 » Fri Mar 22, 2019 2:38 pm

I have to say that as oddly-timed as Seth Rich's murder was, there is fairly little basis to suspect that he leaked the DNC emails. His job at the DNC had nothing to do with IT. Seth Rich was the data director for the Voter Expansion Project, a DNC division which focused on registering new voters and fighting voter suppression, meaning that he handled things like voter databases and incident reports. In fact, the nature of his job suggests a much more plausible motive for assassinating him if his death was a hit: Seth likely stumbled across the voter suppression against Bernie Sanders supporters during the 2016 primaries. In state after state, 2016 Dem primary voters found their voter registration info had been inexplicably changed leaving them unable to vote, and the people afflicted by this were almost universally Bernie supporters. Pratt Wiley, the DNC's national voter expansion director, confirmed that he and his staff did look into these voting issues ( Such an investigation would have almost certainly included Seth Rich, who was concerned with very similar issues prior to 2016 ( Might Seth Rich have come across evidence that these voting issues were not errors but intentional disenfranchisement?
Posts: 190
Joined: Sat Jul 08, 2017 12:42 am
Blog: View Blog (0)

Re: Guccifer 2.0 - Forensic Analysis/Findings

Postby Belligerent Savant » Tue Mar 26, 2019 3:51 pm

. ... vips-reply

[Disclaimer: while the arguments made by VIPS is certainly sound, I am hesitant to accept any reporting/analysis by current -- or former -- intelligence agents. As I mentioned in another thread, this entire operation can be a smokescreen by all sides involved.]

Why This Is Important
by William Binney, Skip Folden, Ed Loomis, Ray McGovern, and Kirk Wiebe

We Veteran Intelligence Professionals for Sanity (VIPS) scientists make our technical judgments based on given facts and do not speculate without a factual basis. The main issue here is: Who gave the DNC e-mails to WikiLeaks? “Handpicked” analysts from three intelligence agencies “assess” that the Russians hacked into the DNC, but provide no hard evidence for this.

We think back to the evidence-free “assessments” 15 years ago before the attack on Iraq. Several “high-confidence” intelligence judgments had been fraudulently “fixed” to dovetail with the Bush/Cheney agenda for war. In June 2008, the chair of the Senate Intelligence Committee released a bipartisan report five years in the making. Mincing no words, he wrote: “In making the case for war, the Administration repeatedly presented intelligence as fact when in reality it was unsubstantiated, contradicted, or even non-existent.”

We worry that this may be happening again. Adding to our concern, in recent years we have seen “false-flag” attacks carried out to undergird a political narrative and objective—to blame the Syrian government for chemical attacks, for example. Forensic evidence suggests that this tried-and-tested technique (in this instance, simply pasting in a Russian template with “telltale signs”) may have been used to “show” that Russia hacked into the DNC computers last June.

For more than a year, we have been pointing out that any data acquired by a hack would have had to come across the Internet. The blanket coverage of the Internet by the NSA, its UK counterpart GCHQ, and others would be able to produce copies of that data and show where the data originated and where it went. But US intelligence has produced no evidence that hacking by Russia led to it acquiring the DNC e-mails and passing them on to WikiLeaks.

Historically, the United States has disclosed classified information when it has suited its purposes. One need not go all the way back to the release of U-2 photography during the Cuban missile crisis, or to President Ronald Reagan’s decision to sacrifice a lucrative source (which enabled us to intercept and decipher Libyan communications) to prove that Libya was behind the April 5, 1986, bombing of a Berlin disco that killed two and wounded 79 US servicemen. Much more recently, in 2014 and 2015, the United States released significant details to verify the successful hack by which China stole over 21.5 million official records, including security background investigations, from the Office of Personnel Management.

Independent research into the metadata associated with the July 5, 2016, cyber-event that was blamed on “Russian hacking” shows that what actually took place was a copy onto an external storage device, and that the copy took place on the East Coast of the United States by someone with physical access to the DNC server or computers. Most curiously, the FBI did not have access to the DNC computers to do its own forensics, even though prominent politicians were calling the alleged Russian hack “an act of war.”

After examining the recent forensic findings, Skip Folden, co-author of the VIPS memo titled “Was the ‘Russian Hack’ an Inside Job?,” sent a more detailed technical report to the offices of Special Counsel Robert Mueller and of Attorney General Jeff Sessions, asking them to investigate the latest findings.

We will not dwell on the nontechnical evidence at hand, but we would be remiss if we did not mention something that has recently been in the public eye. Julian Assange has denied that the source is the Russian government or any other state party, and, truth be told, his record of credibility compares favorably with the records of those who demonize him. An associate of Assange, former UK ambassador Craig Murray, has said the WikiLeaks source was a leak from an insider. “To my certain knowledge,” said Murray, “neither the DNC nor the Podesta leaks involved Russia.” Oddly, Murray has not been questioned by any US official or journalist.

Commentary on the Dissenting Memo

What follows are our comments on the dissenting memo written by Thomas Drake, Lisa Ling, Cian Westmoreland, Philip M. Giraldi, and Jesselyn Radack.

In the words of the memo:

[T]he intelligence-community assessment from January 6, 2017, which reflects the judgment of the CIA, the FBI, and the NSA, asserts as fact (absent categorical proof or evidence) that “Guccifer 2.0” accessed data from the DNC through a “cyber operation.” This could mean via the network, the cloud, computers, remote hacking, or direct data removal. However, “Guccifer 2.0” claimed access to the DNC server through remote hacking.

With this statement at the outset, the dissent injects uncertainty about what the words “cyber operation” might include in a way that clearly implies that the Russians could have gotten the DNC e-mails in some way other than through an Internet hack—a very key point. Yes, the January 6 report does use the phrase “cyber operation,” but President Obama’s intelligence chiefs, including former FBI director James Comey, have testified under oath that they accept CrowdStrike’s analysis regarding a “hack.” Moreover, intelligence officials have briefed The New York Times, The Washington Post, and other major news outlets about the alleged Russian role in a hack. In this light, focusing on the phrase “cyber operation” amounts to a word game.

Moreover, does the dissent have proof that the “Guccifer 2.0” “claim” is not fake news? Is the writer of the post at “Guccifer 2.0” actually the person(s) responsible for the data heist? The intelligence-community assessment was not backed up with facts; we cannot believe what it says until technical evidence is provided to prove it.

In the words of the memo:

The third-party analysis of the “Guccifer 2.0” claims (including Adam Carter’s ( and the Forensicator’s ( analyzed in the VIPS memo directly contradict these conclusions (while raising legitimate questions), but the VIPS memo asserts as a “slam dunk” fact the categorical conclusion of a local leak that is also not supported by the third-party analysis, either.

If we understand this sentence correctly, and the “third-party” analysis refers to the Forensicator, this assertion is wrong. From the data given, the analysis does support the conclusion, as it demonstrates that the Internet on July 5, 2016, could not support such an international hack.

In the words of the memo:

There is also no evidence from the available metadata that can definitively state when the transfer or copying of the data took place, nor does the data prove that “Guccifer 2.0” had direct access to the DNC server or that the data was located on the DNC system when it was allegedly copied on July 5, 2016.

We have no evidence that the July 5 data was manipulated. Nor does the dissent present any. Furthermore, “Guccifer 2.0” bracketed it with his July 4 and 6 posts, which are repeatedly ignored by the dissent. The independent analysis makes no claim that “Guccifer 2.0” had direct access to the DNC server or that the data was located on the server at that time. The transfer rate was independent of the physical location of the data at the time of copy.

In the words of the memo:

The implications of this leap-to-conclusions analysis of the VIPS memo—which centers on claiming as an unassailable and immutable fact that the DNC “hack” was committed by an insider with direct access to the DNC server, who then deliberately doctored data and documents to look like a Russian or Russia-affiliated actor was involved, and therefore no hack occurred (consequently, ipso facto, the Russians did not do it)—are contingent on a fallacy.

There had to be direct access to the DNC server at some point, for that repository was the source of the data. The authors of the dissent are confusing the July 5 and June 15 incidents, for it was the latter that experienced the deliberate insertion of Russian “fingerprints.”

In the words of the memo:

Data-transfer speeds across networks and the Internet measured in megabits per second (or megabytes per second) can easily achieve rates that greatly exceed the cited reference in the VIPS memo of 1,976 megabytes in 87 seconds (∼22.71 megabytes per second or ∼181.7 megabits per second), and well beyond 50 megabytes depending on the capacity of the network and the method of access to that network. Speeds across the network vary greatly, and sustained write speeds copied out to local devices are often quite a bit slower.

The dissent misses the key point of the difference between available speeds in early July 2016 and now. In addition, the above shows no awareness of the degradation of speed with distance and no awareness of the problem of transoceanic connections.

In the words of the memo:

The environment around Trump, Russia, et al. is hyperpolarized right now, and much disinformation is floating around, feeding confirmation bias, mirroring and even producing conspiracy theories.

However, this VIPS memo could have easily raised the necessary and critical questions without resorting to law-of-physics conclusions that claim to prove beyond any shadow of a doubt that it was an inside-network copy only and then asserting the “fact” that the Russians (or anybody else for that matter) did not hack the DNC.

The authors of the dissent may not like the conclusions, but that is exactly what the independent analysis demonstrated, not just via metadata but also by actual network field tests.

In the words of the memo:

In addition, no qualifiers, disclaimers, or dissenting views are provided in the VIPS memo, nor is any alternative theory presented.

The conclusions of our VIPS memo were definitive and included extensive support data if one looks at the websites that were referred to. The writers of the dissent made no attempt to weigh in on the article with a dissenting view or an alternate theory prior to publication of the VIPS memo. Like everyone else, they had two weeks.

In the words of the memo:

It is important to note that it’s equally plausible that the cited July 5, 2016, event was carried out on a server separate from the DNC or elsewhere, and with data previously copied, transferred, or even exfiltrated from the DNC.

Yes, the claimed “hack” could have been done on a secondary computer (not “server”), but in either case had to come originally from the DNC server. This has no effect on the transfer rate, which precluded a “hack”—a point the authors of the dissenting memo keep missing.

In the words of the memo:

However, independent of transfer/copy speeds, if the data was not on the DNC server on July 5, 2016, then none of this VIPS analysis matters (including the categorically stated fact that the local copy was acquired by an insider) and simply undermines the credibility of any and all analysis in the VIPS memo when joined with this flawed predicate.

The dissent refers to “independent of transfer/copy speeds,” but one cannot simply ignore them, as if they were irrelevant. Also, again, the “Guccifer 2.0” July 4 and 6 posts are being ignored. The dissent’s argument ignores the fact that on July 5, the data was transferred at a speed not obtainable from East Coast ISPs. The transfer rate, however, is entirely consistent with a USB port connected to a portable device such as a thumb drive.

As the author of The Nation article pointed out, our investigations continue. Recent data analysis gives additional support to our key finding—namely, that the speed of the data transfer from the DNC server (22.7 megabytes per second) far exceeded the capability of the Internet in early July 2016. We have now learned that the 22.7-megabytes-per-second speed was merely the average rate for the duration of the data transfer, and that a peak rate of 38 megabytes per second was reached during that transfer. A copy to a thumb drive could handle that peak speed; an Internet hack attempted from abroad could not.

In the words of the memo:

In addition, a subsequent post by the “Forensicator” actually backs away from the VIPS memo and provides additional caveats, including the following statements (among several):

“The Guccifer 2.0 NGP/VAN Metadata Analysis describes a copy operation that (based on the metadata) occurred in the early evening on July 5, 2016. No claim is made in the report that the data might not have been copied earlier nor whether it might have been copied or leaked.”

This is correct, but has no bearing on the conclusions. Direct access was required in either case, whether the alleged “hack” occurred on the DNC server or on a copy made earlier by a person with direct access. The Forensicator is trying, with these later details, to assist those who were confused.

In the words of the memo:

Furthermore, a recent article in the New York Post raises the specter of yet other alternative paths for one or more DNC data breaches. Scott Ritter, a VIPS member, also wrote an article in Truthdig that takes issue with the centerpiece claims of the VIPS memo.

He did, and without mentioning it to VIPS colleagues more technically experienced in these issues. And the Truthdig article contained misstatements of fact, as detailed in e-mails sent within VIPS, including to Ritter, on July 31 regarding claims that the VIPS conclusions are not supported by data, that the transfer rate is irrelevant, etc. It is not clear why the authors of the dissent think that referring to that article poses any challenge to the technical basis for the conclusion that the July 5 metadata was extracted onto a thumb drive. Again, no facts are presented to infer another path.

In the words of the memo:

The bottom line: This VIPS memo was hastily written based on a flawed analysis of third-party analyses and then thrown against the wall, waiting to see if it would stick. This memo could have cited the critical questions raised in the third-party analyses of “Guccifer 2.0” while also asking why the three US intelligence agencies have yet to provide any actual hard proof following their January 6, 2017, assessment.

Flawed analysis? The dissent has presented no evidence of that. Many of the points raised suggest the authors do not fully understand the analysis. With respect to the alleged hacking and the intelligence-community assessment, the VIPS memo pointed to the parallel report to both the Office of Special Counsel and the attorney general, which covers those issues.

In the words of the memo:

The VIPS memo is now increasingly politicized because the analysis itself was politicized. In an ideal world, VIPS would at least retract its assertion of certainty. It only deals with alleged “Guccifer 2.0” hacking and makes the classic apples-versus-oranges mistake. In an ideal world, VIPS would at least retract its assertion of certainty. Absent real facts regarding proof of leaks or hacks (or both), how many hypotheses can one copy onto the head of a digital pin?

This paragraph is not only misleading, it also impugns the core apolitical nature of VIPS. Again, the dissent seems confused about the main subjects of this discussion and the VIPS memo’s key conclusion—that the July 5, 2016, intrusion into the DNC e-mails, which was blamed on Russia, could not have been a hack—by Russia or anyone else. In that very important forest it is difficult to see through all the bushes and trees on which the dissent chooses to focus.


User avatar
Belligerent Savant
Posts: 2633
Joined: Mon Oct 05, 2009 11:58 pm
Location: North Atlantic.
Blog: View Blog (0)

Re: Guccifer 2.0 - Forensic Analysis/Findings

Postby alloneword » Tue Mar 26, 2019 8:25 pm

Cheers, all... interesting stuff.

Just to clarify, the Drake/Ritter/Ling et al 'dissenting' memo and the VIPS memo to which it refers date from summer 2017 and concern transfer speeds... The FAT 'even numbered seconds findings' are apparently (much) more recent, originating from the Forensicator around August 2018?

I concur with your disclaimer... I wouldn't personally trust any of these people to tell me the time. ;)

(There was a piece from the Forensicator last month that you might find worth a read).
User avatar
Posts: 633
Joined: Mon Jan 22, 2007 9:19 am
Location: UK
Blog: View Blog (0)

Re: Guccifer 2.0 - Forensic Analysis/Findings

Postby alloneword » Wed Apr 03, 2019 3:08 am

I hadn't caught this before, but Adam Carter recently did a nice indexed* summary of where we're at regarding various aspects of this:

Guccifer 2.0 Game Over – Year End Review

December 25, 2018 Adam Carter

It’s almost two years since I started investigating Guccifer 2.0.

Since then, largely thanks to several other independent researchers and their contributions, much has been discovered. The purpose of this article is to go back over all of the discoveries made during the last two years, as well as the various challenges received, and to provide an up-to-date status on the validity of different areas of research into Guccifer 2.0. The articles and findings at issue are as follows:

Guccifer 2.0’s First Documents

NGP-VAN Archive Study

CF.7z Archive Study

Language Analysis

Blogging & Social Media Activity

Potential Ties To DCLeaks

E-Mail Suggesting Operations In Us Time Zone

Loaded For Guccifer – UCT +3

West Coast Fingerprints

Impact Of Documents Released

Guccifer 2.0’s Russian Fingerprints

Determination To Attribute Self To WikiLeaks, DCLeaks, etc.

CrowdStrike’s Absence Of Evidence

Mueller’s Indictment

GRU Frames Russia & Manufactures Evidence To Support CrowdStrike?

(*not all of the indexing works correctly - you may have to scroll down).

tl:dr? :

Year-End Conclusion

In summary, evidence indicated that the Guccifer 2.0 persona was operated by someone that wanted to prop up the claims being made by CrowdStrike to the extent that they fabricated evidence and falsified claims in support of statements that had been made by CrowdStrike executives. They wanted to be perceived as Russian and wanted to be attributed to WikiLeaks from the day they emerged.

Guccifer 2.0’s now-exposed objectives do not correlate with the motives of the GRU: they do correlate with the motives that other groups and individuals (based in the United States) would have had at the precise moment in time he appeared.

While I may suspect certain individuals of involvement in this, what I suspect doesn’t matter much. What matters is that the evidence uncovered shows that there is justification for an independent and impartial investigation into the many anomalies of Guccifer 2.0. It also suggests we may not be getting entirely accurate information from the Mueller probe regarding who was really behind the persona.
User avatar
Posts: 633
Joined: Mon Jan 22, 2007 9:19 am
Location: UK
Blog: View Blog (0)

Re: Guccifer 2.0 - Forensic Analysis/Findings

Postby alloneword » Thu Apr 18, 2019 6:53 pm

Yet more from The Forensicator... a fair bit to absorb (I'm still absorbing), but, I dare say, a lot more interesting than sifting through some 448 page fantasy novel looking for something new or concrete. ;)

Sorting the WikiLeaks DNC Emails

A new report analyzes the metadata associated with the DNC email collection published by WikiLeaks. The introduction and conclusions from that report are summarized below. Please refer to the report for technical details and other observations and conclusions not found in this summary.

We review the DNC email collection published by Wikileaks. We attribute each email to one of ten (10) DNC staffers. This is new research – some journalists and researchers have suggested that the WikiLeaks DNC email collection disclosed the emails of ten staffers, but this report is the first to provide detailed attribution.

We use this attribution of particular emails to DNC staffers to build an email acquisition timeline. The timeline that we develop stands at odds with statements made in the DOJ indictment of twelve (12) Russian intel (GRU) officers. The indictment timeline does not account for over two-thirds of the DNC email collection. We also observe that the indictment implies connections between various facts, but seldom makes specific definitive statements that might be derived from those facts.

For example, the indictment introduces the idea that a “1Gb or so” archive was transmitted from Guccifer 2 to WikiLeaks and gives the impression that this archive might have been the source of the WikiLeaks DNC email publications but never states this as fact. We show that this Zip file is too small to hold the entire DNC email collection, which rules it out as the source of the WikiLeaks DNC emails.


Excerpts from the July 13, 2018 indictment of 12 GRU agents follow. (Emphasis added.)

29. Between on or about May 25, 2016 and June 1, 2016, the Conspirators hacked the DNC Microsoft Exchange Server and stole thousands of emails from the work accounts of DNC employees. During that time, YERMAKOV researched PowerShell commands related to accessing and managing the Microsoft Exchange Server.

47 (b). After failed attempts to transfer the stolen documents starting in late June 2016, on or about July 14, 2016, the Conspirators, posing as Guccifer 2.0, sent Organization 1 [WikiLeaks] an email with an attachment titled “wk dnc linkl.txt.gpg,” The Conspirators explained to Organization 1 that the encrypted file contained instructions on how to access an online archive of stolen DNC documents. On or about July 18, 2016, Organization 1 [WikiLeaks] confirmed it had “the 1Gb or so archive” and would make a release of the stolen documents “this week.”

48. On or about July 22, 2016, Organization 1 [WikiLeaks] released over 20,000 emails and other documents stolen from the DNC network by the Conspirators. This release occurred approximately three days before the start of the Democratic National Convention. Organization 1 did not disclose Guccifer 2.0’s role in providing them. The latest-in-time email, released through Organization 1 was dated on or about May 25, 2016, approximately the same day the Conspirators hacked the DNC Microsoft Exchange Server.

A few observations and comments:

  • The indictment makes no mention of the May 23 ex-filtration of DNC emails (which contributes over two-thirds of the WikiLeaks DNC email collection). The indictment’s timeline starts on May 25.
  • Based on our analysis of the DNC emails, we see no signs of activity in the May 26 through June 1 timeframe mentioned in the indictment. The indictment offers no specifics on what may have transpired from May 26 through June 1.
  • The indictment’s statement – “[the] same day [May 25] the Conspirators hacked the DNC Microsoft Exchange Server” implies only a single hacking event, apparently ignoring evidence that 70% of the emails were acquired on May 23.
  • “Approximately the same day” in combination with the statement “between [..] May 25, 2016 and June 1, 2016” leaves open the possibility that a separate hack of the Exchange server may have happened on or after May 25 – this event is hypothetically the subject of the indictment. We see no evidence of a third acquisition event when we analyze the WikiLeaks DNC email collection. Yet its existence would explain the apparent discrepancy between our observations and the statements made in the indictment.
  • The indictment says “During that time, YERMAKOV researched PowerShell commands related to accessing and managing the Microsoft Exchange Server.” (Emphasis added.) If “that time” is May 25 through June 1, how would this explain the ex-filtration of the DNC emails that were collected on May 23, which make up over two-thirds of the DNC emails published by WikiLeaks?
  • The indictment offers no rationale on why those particular ten (10) individuals who appear in the WikiLeaks DNC email collection were chosen; it doesn’t mention any specific individuals.
  • Wouldn’t the DNC executive staff (DWS and Brazile, for example) have been higher value targets? Why the emphasis on Finance? Why not system administration, where we might have learned about the DNC’s coordination with Crowdstrike and/or the FBI?
  • The indictment doesn’t tell us how the perpetrators gained access to the DNC Exchange server or their level of access. In a properly configured system, administrative privileges would be required to access individual mailboxes on the Exchange server. On some systems, mail administrators need additional privileges in order to access the Exchange server.
  • Although the indictment states that Yermakov “researched PowerShell commands related to accessing and managing the Microsoft Exchange Server”, it does not say exactly how the emails were exported (or even if PowerShell was used).
  • The indictment mentions several separate events, but does not pull them together into a succinct claim: (1) failed attempts by Guccifer 2.0 to deliver DNC documents to DNC, (2) transmission of a “1Gb or so archive” to WikiLeaks, (3) A statement that is a summary but not a direct quote that says “[WikiLeaks] would make a release of the stolen documents” followed by the quoted phrase “this week”, (4) “On or about July 22, 2016, Organization 1 [WikiLeaks] released over 20,000 emails and other documents stolen from the DNC network by the Conspirators”, (5) “Organization 1 did not disclose Guccifer 2.0’s role in providing them”.
  • Although a connect-the-dots interpretation suggests that the DNC emails were the “documents” provided by Guccifer 2, nowhere does the indictment make a simple, clear claim along the lines “On July 22, 2016 Company 1 [WikiLeaks], published the emails taken by the Conspirators on May 25, when they hacked the DNC Exchange Server.” Further the statement that WikiLeaks “did not disclose Guccifer 2.0’s role in providing them”, alludes to the idea that Guccifer 2.0 provided them, but the indictment never states this as fact.
  • The indictment makes no mention of the second and last WikiLeaks document release, published on November 6, 2016. As we have shown, this DNC email release was approximately equal in size and document count to the first email dump published on July 22, 2016. All the documents in this last November 6 release appear to have been acquired on May 23 (not May 25 as claimed in the indictment).
  • The indictment describes an encrypted email attachment sent to WikiLeaks by Guccifer 2 on July 14, 2016. We are told that “[this] encrypted file contained instructions on how to access an online archive of stolen DNC documents”. If this file were encrypted with WikiLeaks’ public key, we wonder if the Special Counsel’s investigators had the capability of decrypting this attachment, or if they were speculating about its contents?
  • The “1Gb or so” archive mentioned in the indictment was too small to hold the entire DNC email collection. Further, although the indictment implies that this Zip file may have contained the DNC emails, the indictment never directly states that this Zip file was the source of the DNC email collection.
User avatar
Posts: 633
Joined: Mon Jan 22, 2007 9:19 am
Location: UK
Blog: View Blog (0)

Re: Guccifer 2.0 - Forensic Analysis/Findings

Postby alloneword » Mon Apr 22, 2019 5:47 pm

A fairly concise rough summary of where we're at so far?

Posted byu/veganmark
3 days ago
Here's the Entire Discussion of Seth Rich in the Mueller Report

d. WikiLeaks Statements Dissembling About the Source of Stolen Materials (pp.48-49)

As reports attributing the DNC and DCCC hacks to the Russian government emerged, WikiLeaks and Assange made several public statements apparently designed to obscure the source of the materials that WikiLeaks was releasing. The file-transfer evidence described above and other information uncovered during the investigation discredit WikiLeaks's claims about the source of material that it posted.

Beginning in the summer of 2016, Assange and WikiLeaks made a number of statements about Seth Rich, a former DNC staff member who was killed in July 2016. The statements about Rich implied falsely that he had been the source of the stolen DNC emails. On August 9, 2016, the @WikiLeaks Twitter account posted: "ANNOUNCE: WikiLeaks has decided to issue a US$20k reward for information leading to conviction for the murder of DNC staffer Seth Rich." Likewise, on August 25, 2016, Assange was asked in an interview, "Why are you so interested in Seth Rich's killer?" and responded, "We 're very interested in anything that might be a threat to alleged Wikileaks sources." The interviewer responded to Assange's statement by commenting, "I know you don't want to reveal your source, but it certainly sounds like you're suggesting a man who leaked information to WikiLeaks was then murdered." Assange replied , "If there 's someone who's potentially connected to our publication, and that person has been murdered in suspicious circumstances, it doesn't necessarily mean that the two are connected. But it is a very serious matter ... that type of allegation is very serious, as it's taken very seriously by us."

After the U.S. intelligence community publicly announced its assessment that Russia was behind the hacking operation, Assange continued to deny that the Clinton materials released by WikiLeaks had come from Russian hacking. According to media reports, Assange told a U.S. congressman that the DNC hack was an "inside job," and purported to have "physical proof ' that Russians did not give materials to Assange.

It should be noted that Mueller never made any attempt to interview Assange regarding the alleged proof he had for his assertions, nor to interview either Craig Murray or Kim Dotcom, both of whom claim to have knowledge of the sources.

As I have noted too many times, the Mueller indictment of GRU agents, which claims that Guccifer 2.0 was a Russian agent who transferred the DNC documents to Wikileaks, is wholly lacking in credibility. ... 06ef955406

With respect to Guccifer 2.0, the report assumes that this persona represents the GRU – failing to cite any of the independent cyberanalysis from Adam Carter and the Forensicator pointing to Guccifer 2.0 as operating in American time zones, making file transfers strongly suggestive of thumbdrive retrievals, purposely adding “Russian fingerprints” to the meta-data of some of his releases, and making an incompetent and inconsistent attempt to impersonate a native Russian speaker. Also, it does not question why GRU agents would have any need to invent such a blustering persona (whereas G2.0 makes perfect sense if we assume that he was trying to incriminate Russian hackers as responsible for the upcoming DNC releases).

With respect to the alleged transfer of DNC emails from G2.0 to WIkileaks, the indictment states:
On July 14, 2016, GRU officers used a Guccifer 2.0 email account to send WikiLeaks an email bearing the subject "big archive" and the message "a new attempt." The email contained an encrypted attachment with the name "wk dnc link I .txt.gpg." Using the Guccifer 2.0 Twitter account, GRU officers sent WikiLeaks an encrypted file and instructions on how to open it. On July 18, 2016, WikiLeaks confirmed in a direct message to the Guccifer 2.0 account that it had "the 1 Gb or so archive" and would make a release of the stolen documents "this week." On July 22, 2016, WikiLeaks released over 20,000 emails and other documents stolen from the DNC computer networks. The Democratic National Convention began three days later.

In fact, this narrative makes no sense whatever, inasmuch as Assange had announced the impending release of “Hillary-related materials” on June 12th, over a month before the report alleges that G2.0 transferred the documents to Wikileaks. If the report is correct, we have to assume that, either Assange is psychic, or G2.0 had contacted Wikileaks sometime prior to June 12th – a contact for which Mueller evidently has no evidence – to inform him of his plan to transmit the emails. But this would require Assange to announce the impending release of emails he had not seen, from a source of dubious provenance. Anyone who appreciates Wikileaks’ careful curation and authentication of the documents it releases will realize that this is absurd. Furthermore, the report’s scenario would have required Wikileaks to have verified the absolute authenticity of over 20K documents and as many attachments in 4 days, which sounds ridiculous, given the long amount of time required to vet the Podesta emails released subsequently.

Furthermore, it is peculiar that neither the report nor the indictment offers a complete quote of Wikileaks’ message to G2.0, excerpting only the phrases “the 1 Gb or so archive” and “this week”. And the Forensicator has just recently determined that the size of the DNC emails and attachments released by Wikileaks on July 22nd was well in excess of 2 Gb – not “1 Gb or so”. Moreover, the report provides no proof that what G2.0 allegedly transferred to Wikileaks was in fact the DNC emails. G2.0 may well have contacted Wikileaks to leave a trail that might be interpreted as evidence of his transmittal of the DNC documents – which is precisely how Mueller has interpreted this.

Mueller refers to "the U.S. intelligence community" as assessing that "Russia was behind the hacking operation". This is a lie. Assessments by the U.S. intelligence community are done in National Intelligence Assessments, which draw on contributions from all of the intelligence agencies, and include dissents from individuals who disagree with the findings. The ICA dealing with the supposed Russian hacking of the DNC was created by an ad hoc group hand-picked by Russophobes Brennan and Clapper from just 3 of the intelligence agencies. Furthermore, the document itself includes a disclaimer that the "assessments" therein should not necessarily be considered to be proven facts. As Ray McGovern points out, "assess", in spyspeak, means "guess". Moreover, the fact that the inherently risible Steele Dossier was included as an appendix to the classified version at Brennan's insistence, tells you all you need to know about the reliability of the ICA.

We all remember that our Intelligence Community - in a formal NIE - once assured us that Saddam was sitting on a vast horde of chemical weapons and a nascent nuclear weapons program. The unclassified version of the report gave the impression that the conclusion was unanimous - but in fact that classified versions contained a number of dissenting opinions, of which the public was not informed. Robert Mueller was one of those who assured the American public that Saddam had WMDs.

And here's something else peculiar about Mueller's (redacted) report - the name "Crowdstrike" only appears in two footnotes citing a blog post by Dmitri Alperovitch of that company: Bears in the Midst: Intrusion into the Democratic National Committee. Since only Crowdstrike examined the DNC servers, as the DNC would not allow them to be examined by the FBI, I can only presume that Mueller takes as gospel the claims of a DNC-hired computer security firm with close ties to the Russia-hating Atlantic Council - a company which had been shown to be completely wrong in its previous attribution of hacks to Russian intelligence. ... ch_in_the/
User avatar
Posts: 633
Joined: Mon Jan 22, 2007 9:19 am
Location: UK
Blog: View Blog (0)

Re: Guccifer 2.0 - Forensic Analysis/Findings

Postby alloneword » Mon May 13, 2019 5:51 pm

More from Adam Carter (or whatever his name is...) May 6, 2019

The Mueller Report - Expensive Estimations And Elusive Evidence

A snippet:

Conflict of Interest Inherent In The Investigation?

Would it seem like a conflict of interest if the person in charge of an investigation were friends with a witness and source of critical evidence relied upon by that investigation?

This is effectively the situation we have with the Special Counsel investigation because Robert Mueller and CrowdStrike's CSO (and President) Shawn Henry are former colleagues and friends.

Their history at the FBI is well known and their continued association after Henry had left the agency (having dinner together at an executive retreat) has been noted.

If nothing else, it's understandable for people to feel that the Special Counsel would have struggled to be truly impartial due to such relationships.


The Special Counsel seems to have been impervious to critical pieces of countervailing evidence (some of which demonstrates that Guccifer 2.0 deliberately manufactured Russian breadcrumbs) and they have failed to accurately account for the acquisition of WikiLeaks' DNC emails (missing the date on which approximately 70% of them were collected), which is, in itself, a stunning failure for a supposedly thorough investigation costing US taxpayers tens of millions of dollars.

There should have been a proper, thorough, independent and impartial investigation into the Guccifer 2.0 persona. The Special Counsel certainly hasn't done that job and, in retrospect, looks to have been ill-equipped (and perhaps somewhat reluctant) to do so from the outset.

A lot there, more than I can be arsed to format and post, so here's an alt link (SST) incase that goes dead: ... arter.html
User avatar
Posts: 633
Joined: Mon Jan 22, 2007 9:19 am
Location: UK
Blog: View Blog (0)

Re: Guccifer 2.0 - Forensic Analysis/Findings

Postby Belligerent Savant » Mon Jul 29, 2019 10:51 am


Largely recapping data points raised here in this thread and elsewhere, but a useful distillation of the issues with the Mueller report, particularly around 'Guccifer 2.0'. ... ng-claims/


CrowdStrikeOut: Mueller’s Own Report Undercuts Its Core Russia-Meddling Claims

by Aaron Maté


The report uses qualified and vague language to describe key events, indicating that Mueller and his investigators do not actually know for certain whether Russian intelligence officers stole Democratic Party emails, or how those emails were transferred to WikiLeaks.

The report’s timeline of events appears to defy logic. According to its narrative, WikiLeaks founder Julian Assange announced the publication of Democratic Party emails not only before he received the documents but before he even communicated with the source that provided them.

There is strong reason to doubt Mueller’s suggestion that an alleged Russian cutout called Guccifer 2.0 supplied the stolen emails to Assange.

Mueller’s decision not to interview Assange – a central figure who claims Russia was not behind the hack – suggests an unwillingness to explore avenues of evidence on fundamental questions.

U.S. intelligence officials cannot make definitive conclusions about the hacking of the Democratic National Committee computer servers because they did not analyze those servers themselves. Instead, they relied on the forensics of CrowdStrike, a private contractor for the DNC that was not a neutral party, much as “Russian dossier” compiler Christopher Steele, also a DNC contractor, was not a neutral party. This puts two Democrat-hired contractors squarely behind underlying allegations in the affair – a key circumstance that Mueller ignores.

Further, the government allowed CrowdStrike and the Democratic Party’s legal counsel to submit redacted records, meaning CrowdStrike and not the government decided what could be revealed or not regarding evidence of hacking.

Mueller’s report conspicuously does not allege that the Russian government carried out the social media campaign. Instead it blames, as Mueller said in his closing remarks, “a private Russian entity” known as the Internet Research Agency (IRA).

Mueller also falls far short of proving that the Russian social campaign was sophisticated, or even more than minimally related to the 2016 election. As with the collusion and Russian hacking allegations, Democratic officials had a central and overlooked hand in generating the alarm about Russian social media activity.

John Brennan, then director of the CIA, played a seminal and overlooked role in all facets of what became Mueller’s investigation: the suspicions that triggered the initial collusion probe; the allegations of Russian interference; and the intelligence assessment that purported to validate the interference allegations that Brennan himself helped generate. Yet Brennan has since revealed himself to be, like CrowdStrike and Steele, hardly a neutral party — in fact a partisan with a deep animus toward Trump.


Guccifer 2.0: A Sketchy Source

While Mueller admits he does not know for certain how the DNC emails were stolen or how they were transmitted to WikiLeaks, the report creates the impression that Russian intelligence cutout Guccifer 2.0 supplied the stolen material to Assange.

In fact, there are strong grounds for doubt. To begin with, Guccifer 2.0 – who was unknown until June 2016 – burst onto the scene to demand credit as WikiLeaks’ source. This publicity-seeking is not standard spycraft.

More important, as Raffi Khatchadourian has reported for The New Yorker, the documents Guccifer 2.0 released directly were nowhere near the quality of the material published by WikiLeaks. For example, on June 18, Guccifer 2.0 released documents that it claimed were from the DNC, “but which were almost surely not,” Khatchadourian notes. Neither was the material Guccifer 2.0 teased as a “dossier on Hillary Clinton from DNC.” The material Guccifer 2.0 initially promoted in June also contained easily discoverable Russian metadata. The computer that created it was configured for the Russian language, and the username was “Felix Dzerzhinsky,” the Bolshevik-era founder of the first Soviet secret police.

WikiLeaks only made contact with Guccifer 2.0 after the latter publicly invited journalists “to send me their questions via Twitter Direct Messages.” And, more problematic given the central role the report assigned to Guccifer 2.0, there is no direct evidence that WikiLeaks actually released anything that Guccifer 2.0 provided. In a 2017 interview, Assange said he “didn’t publish” any material from that source because much of it had been published elsewhere and because “we didn’t have the resources to independently verify.”

Mueller Didn’t Speak With Assange

Some of these issues might have been resolved had Mueller not declined to interview Assange, despite Assange’s multiple efforts.

According to a 2018 report by John Solomon in The Hill, Assange told the Justice Department the previous year that he “was willing to discuss technical evidence ruling out certain parties” in the leaking of Democratic Party emails to WikiLeaks. Given Assange’s previous denials of Russia’s involvement, that seems to indicate he was willing to provide evidence that Moscow was not his source. But he never got the chance. According to Solomon, FBI Director James Comey personally intervened with an order that U.S. officials “stand down,” setting off a chain of events that scuttled the talks.

Assange also made public offers to testify before Congress. The Mueller report makes no mention of these overtures, though it does cite and dismiss “media reports” that “Assange told a U.S. congressman that the DNC hack was an ‘inside job,’ and purported to have ‘physical proof’ that Russians did not give materials to Assange.”

Mueller does not explain why he included Assange’s comments as reported by media outlets in his report but decided not to speak with Assange directly, or ask to see his “physical proof,” during a two-year investigation.

No Server Inspection, Reliance on CrowdStrike

Before he nixed U.S. government contacts with Assange, Comey was implicated in another key investigative lapse – the FBI’s failure to conduct its own investigation of the DNC’s servers, which housed the record of alleged intrusions and malware used to steal information. As Comey told Congress in March 2017, the FBI “never got direct access to the machines themselves.” Instead, he explained, the bureau relied on CrowdStrike, a cybersecurity firm hired by the DNC, which “shared with us their forensics from their review of the system.”

While acknowledging that the FBI would “always prefer to have access hands-on ourselves, if that’s possible,” Comey emphasized his confidence in the information provided by CrowdStrike, which he called “a highly respected private company” and “a high-class entity.”

CrowdStrike’s accuracy is far from a given. Days after Comey’s testimony, CrowdStrike was forced to retract its claim that Russian software was used to hack Ukrainian military hardware. CrowdStrike’s error is especially relevant because it had accused the GRU of using that same software in hacking the DNC.

There is also reason to question CrowdStrike’s impartiality. Its co-founder, Dmitri Alperovitch, is a nonresident senior fellow at the Atlantic Council, the preeminent Washington think tank that aggressively promotes a hawkish posture towards Russia. CrowdStrike executive Shawn Henry, who led the forensics team that ultimately blamed Russia for the DNC breach, previously served as assistant director at the FBI under Mueller.

And CrowdStrike was hired to perform the analysis of the DNC servers by Perkins Coie – the law firm that also was responsible for contracting Fusion GPS, the Washington, D.C.-based opposition research firm that produced the now discredited Steele dossier alleging salacious misconduct by Trump in Russia and his susceptibility to blackmail.

A CrowdStrike spokesperson declined a request for comment on its role in the Russia investigation.

The picture is further clouded by the conflicting accounts regarding the servers. A DNC spokesperson told BuzzFeed in early January 2017 that “the FBI never requested access to the DNC’s computer servers.” But Comey told the Senate Select Intelligence Committee days later that the FBI made “multiple requests at different levels,” but for unknown reasons, he explained, those requests were denied.

While failing to identify the “different levels” he consulted, Comey never explained why the FBI took no for an answer. As part of a criminal investigation, the FBI could have seized the servers to ensure a proper chain of evidentiary custody. In investigating a crime, alleged victims do not get to dictate to law enforcement how they can inspect the crime scene.

The report fails to address any of this, suggesting a lack of interest in even fundamental questions if they might reflect poorly on the FBI.

The Mueller report states that “as part of its investigation, the FBI later received images of DNC servers and copies of relevant traffic logs.” But it does not specify how much “later” it received those server images or who provided them. Based on the statements of Comey and other U.S. officials, it is quite likely that they came from CrowdStrike, though the company gets only passing mention in the redacted report.

Asked for comment, Special Counsel spokesman Peter Carr declined to answer whether the Mueller team relied on CrowdStrike for its allegations against the GRU. Carr referred queries to the Justice Department’s National Security Division, which declined to comment, and to the U.S. Western District of Pennsylvania, which did not respond.

Redacted CrowdStrike Reports

While the extent of the FBI’s reliance on CrowdStrike remains unclear, critical details are beginning to emerge via an unlikely source: the legal case of Roger Stone – the Trump adviser Mueller indicted for, among other things, allegedly lying to Congress about his failed efforts to learn about WikiLeaks’ plans regarding Clinton’s emails.

Lawyers for Stone discovered that CrowdStrike submitted three forensic reports to the FBI that were redacted and in draft form. When Stone asked to see CrowdStrike’s un-redacted versions, prosecutors made the explosive admission that the U.S. government does not have them. “The government … does not possess the information the defendant seeks,” prosecutor Jessie Liu wrote. This is because, Liu explained, CrowdStrike itself redacted the reports that it provided to the government:

At the direction of the DNC and DCCC’s legal counsel, CrowdStrike prepared three draft reports. Copies of these reports were subsequently produced voluntarily to the government by counsel for the DNC and DCCC. At the time of the voluntary production, counsel for the DNC told the government that the redacted material concerned steps taken to remediate the attack and to harden the DNC and DCCC systems against future attack. According to counsel, no redacted information concerned the attribution of the attack to Russian actors.

In other words, the government allowed CrowdStrike and the Democratic Party’s legal counsel to decide what it could and could not see in reports on Russian hacking, thereby surrendering the ability to independently vet their claims. The government also took CrowdStrike’s word that “no redacted information concerned the attribution of the attack to Russian actors.”

According to an affidavit filed for Stone’s defense by Binney, the speed transfer rate and the file formatting of the DNC data indicate that they were moved on to a storage device, not hacked over the Internet. In a rebuttal, Stone’s prosecutors said that the file information flagged by Binney “would be equally consistent with Russia intelligence officers using a thumb drive to transfer hacked materials among themselves after the hack took place.” In an interview with RealClearInvestigations, Binney could not rule out that possibility. But conversely, the evidence laid out by Mueller is so incomplete and uncertain that Binney’s theory cannot be ruled out either. The very fact that DoJ prosecutors, in their response to Binney, do not rule out his theory that a thumb drive was used to transfer the material is an acknowledgment in that direction.

The lack of clarity around Mueller’s intelligence community sourcing might appear inconsequential given the level of detail in his account of alleged Russian hacking. But in light of the presence of potentially biased and politically conflicted sources like CrowdStrike, and the absence of certainty revealed in Mueller’s lengthy account, the fact that his sourcing remains an open question makes it difficult to accept that he has delivered definitive answers. If Mueller had the invasive window into Russian intelligence that he claims to, it seems incongruous that he would temper his purported descriptions of their actions with tentative, qualified language. Mueller’s hedging suggests a broader conclusion at odds with the report’s own findings: that the U.S. government does not have ironclad proof about who hacked the DNC.
User avatar
Belligerent Savant
Posts: 2633
Joined: Mon Oct 05, 2009 11:58 pm
Location: North Atlantic.
Blog: View Blog (0)

Re: Guccifer 2.0 - Forensic Analysis/Findings

Postby Grizzly » Mon Jul 29, 2019 11:52 pm

But my ¡¡¡∀ISS∩ɹ ∀ISS∩ɹ '∀ISS∩ɹ ...
If Barthes can forgive me, “What the public wants is the image of passion Justice, not passion Justice itself.”
User avatar
Posts: 2984
Joined: Wed Oct 26, 2011 4:15 pm
Blog: View Blog (0)

Re: Guccifer 2.0 - Forensic Analysis/Findings

Postby Belligerent Savant » Sat May 09, 2020 8:01 pm

You do not have the required permissions to view the files attached to this post.
User avatar
Belligerent Savant
Posts: 2633
Joined: Mon Oct 05, 2009 11:58 pm
Location: North Atlantic.
Blog: View Blog (0)

Re: Guccifer 2.0 - Forensic Analysis/Findings

Postby stickdog99 » Sun May 10, 2020 12:38 pm

But Mueller just repeated Crowdstrike's claims as 100% fact, even though these claims were based on nothing but Mook's and Podesta's spit balling? I am getting this right?
Posts: 3708
Joined: Tue Jul 12, 2005 5:42 am
Blog: View Blog (0)

Re: Guccifer 2.0 - Forensic Analysis/Findings

Postby Iamwhomiam » Sun May 10, 2020 1:31 pm

Last edited by Iamwhomiam on Sun May 10, 2020 9:42 pm, edited 1 time in total.
User avatar
Posts: 6250
Joined: Thu Sep 27, 2007 2:47 am
Blog: View Blog (0)

Re: Guccifer 2.0 - Forensic Analysis/Findings

Postby Belligerent Savant » Sun May 10, 2020 1:52 pm


stickdog99 » Sun May 10, 2020 11:38 am wrote:But Mueller just repeated Crowdstrike's claims as 100% fact, even though these claims were based on nothing but Mook's and Podesta's spit balling? I am getting this right?

Indeed, among other fabulist concoctions.

We're an empire now, and when we act, we create our own reality. And while you're studying that reality—judiciously, as you will—we'll act again, creating other new realities, which you can study too, and that's how things will sort out. We're history's actors...and you, all of you, will be left to just study what we do.
- Karl Rove
User avatar
Belligerent Savant
Posts: 2633
Joined: Mon Oct 05, 2009 11:58 pm
Location: North Atlantic.
Blog: View Blog (0)


Return to General Discussion

Who is online

Users browsing this forum: Google Feedfetcher and 9 guests