BOMBSHELL: New Report Shows Guccifer 2.0-DNC Files Were Copied Locally—Not Hacked

Let me know when yall reach a conclusion.

a reply to: daskakik

Although I also wonder if this was the original copy of the data or an additional staging off their network. I was out today and haven't reread it and thought about that aspect more. As you mention, it might not be the only solution.

originally posted by: daskakik
a reply to: BlueAjah

Unless it wasn't, in which case the whole thing is wrong.

Have you downloaded and looked at the files?

Heck no. I don't download random files from the Internet, especially hot ones.

a reply to: BlueAjah

That seems to be full of ifs.

Not all the files have the same "download" date so why assume that it was used at all if it doesn't seem to have been used consistently?

a reply to: daskakik

Actually, I don't have a conclusion about that. I will consider the report in the analysis as a fair conclusion unless evidence arises to disprove it.

I had theorized that perhaps the information did not come directly from the email server. I think it might have been copied from a user's (or multiple users') personal computer, perhaps from a pst or other off-line storage of the emails.

The folder names "might" be folders within an Inbox on an email server, but I think they might be an organized off-line storage that a user made for their emails.

If they were copied on a LAN, or directly by plugging in a USB to the machine, then different copy methods might have been used at different times for different documents. Perhaps some files were copied via Windows from network shares that did not have correct permissions.

My one conclusion is that based on the multitude of evidence from the past months, I think that the leaks were from an inside source, not hacking from another country.

June 15, 2016 UPDATE:

CrowdStrike stands fully by its analysis and findings identifying two separate Russian intelligence-affiliated adversaries present in the DNC network in May 2016. On June 15, 2016 a blog post to a WordPress site authored by an individual using the moniker Guccifer 2.0 claimed credit for breaching the Democratic National Committee. This blog post presents documents alleged to have originated from the DNC.

Whether or not this posting is part of a Russian Intelligence disinformation campaign, we are exploring the documents’ authenticity and origin. Regardless, these claims do nothing to lessen our findings relating to the Russian government’s involvement, portions of which we have documented for the public and the greater security community.

Link

Guccifer 2.0 NGP/VAN Metadata Analysis

This study analyzes the file metadata found in a 7zip archive file, 7dc58-ngp-van.7z, attributed to the Guccifer 2.0 persona.

From link in OP.

So the dates in the data are newer then the post by Guccifer on June 15, 2016.

Doesn't that shoot down the dates being valid for the original capture unless it is not the data mentioned by Guccifer on June 15, 2016?

Something doesn't seem correct.

a reply to: roadgravel

The file in this analysis was not released until September 2016. It was not released in June.

his 7zip file was published by a persona named Guccifer 2, two months later on September 13, 2016.

Security was severely lacking for DNC tech. Remember this?

Wasserman Schultz Threatened Police Chief

Wasserman Schultz Threatened Police Chief For Gathering Evidence On Her IT Staffer’s Alleged Crimes

Remember the Awan brothers?

The DNC did not know, or did not care, that criminals had administrative access to their systems. Who knows who else had access? Who knows what holes the Awan brothers left open for others to exploit?

originally posted by: BlueAjah
Actually, I don't have a conclusion about that. I will consider the report in the analysis as a fair conclusion unless evidence arises to disprove it.

You don't have a conclusion but you will consider the report a fair conclusion? Sorry but that means you have a conclusion.

I had theorized that perhaps the information did not come directly from the email server. I think it might have been copied from a user's (or multiple users') personal computer, perhaps from a pst or other off-line storage of the emails.

The folder names "might" be folders within an Inbox on an email server, but I think they might be an organized off-line storage that a user made for their emails.

If they were copied on a LAN, or directly by plugging in a USB to the machine, then different copy methods might have been used at different times for different documents. Perhaps some files were copied via Windows from network shares that did not have correct permissions.

Those are the ifs I was talking about.

My one conclusion is that based on the multitude of evidence from the past months, I think that the leaks were from an inside source, not hacking from another country.

And there is yet another conclusion and based on circumstances that are unknown.

originally posted by: BlueAjah
a reply to: roadgravel

The file in this analysis was not released until September 2016. It was not released in June.

his 7zip file was published by a persona named Guccifer 2, two months later on September 13, 2016.

But he said he had breached the network in a post in June 2016. That sounds like he states he had data before his post.

On June 15, 2016 a blog post to a WordPress site authored by an individual using the moniker Guccifer 2.0 claimed credit for breaching the Democratic National Committee. This blog post presents documents alleged to have originated from the DNC.

So if this data is not from those breaches before his post then it had to have been done again, after all the investigation.

edit:

The point being the dates used in the analysis don't seem to match the capture date.

a reply to: roadgravel

Aha! Think about that. They (biased CrowdSource) were turning everyone's focus to the email server.

What if the email server was not the source of the leaks, as I theorized above. The removal of information could have been an ongoing activity if it was actually coming from user's personal computers and laptops. Why should we assume that it was a once and done hack?



ETA: I have no doubts that when looking at email server logs they saw access attempts by Russian IP's. That happens every day all over the world. But that does not mean that the leaks came from that source, or that they came from Russia.

a reply to: RuffNick

I understand the difference. autocorrect doesn't seem to though.

a reply to: daskakik

I should clarify that my conditional acceptance of most of the conclusions is based upon the methods and evidence as presented in the analysis. My opinion could change if new information is presented.

a reply to: BlueAjah

Yes, that what I was getting at, in a roundabout way.

I still believe someone inside the network got the data and it was not he who claimed it.

a reply to: roadgravel

Guccifer 2.0 could be more than one person. It could be a person or persons who were working with Seth Rich or others.

a reply to: roadgravel

There are a couple of folders dated July/2016

and then a bunch dated Sept/2016

Nothing out of the ordinary to have spent months, with a slow connection, gathering data and then organizing in folders, with close modification dates before making the 7z file.

Those time-stamps don't prove anything.

a reply to: daskakik

I believe the report said the September dates were rar files. The rar files were created to compress and send the files dated July, etc..

a reply to: daskakik

Those time-stamps don't prove anything.

That could be part of what I was pointing out. Either the stamps are not the original capture or it was a breath after the alleged one found by June 2016.

a reply to: BlueAjah

The different dates on the rar files don't make you question the conclusions of the analysis?

How about this?; file "DNCBSDUserIDExport20090922.zip" is 50.2MB and the file that follows it, chronologically, is "CIR.zip".

It took almost 5.5 minutes to "copy" that file, according to the methods in the report.

Then "CIR.zip" which is only .66MB took 1 minute and 4 seconds to "copy". What happened to the 23MB/s transfer rate for those files?

a reply to: BlueAjah

Even in the site with the report, although seeing the files yourself would be better, you can see that there are compressed files dated both July and Sept and there are even loose files in the 7z file that are not part of any other rar or zip dated July.