Did The Department of Justice Misrepresent Digital Forensics Evidence?

Adam Carter --- June 21, 2019

Roger Stone pushing back against the DOJ (US Department of Justice) recently has been an interesting spectacle to watch and it has caused an interesting revelation to emerge regarding the evidence that was relied on by Mueller's Special Counsel.

It turns out the Special Counsel relied on redacted drafts of CrowdStrike reports and that final versions were never provided.

Various sources have covered this in detail already.

However, the case has resulted in something that most journalists are unlikely to have caught on to.

On May 31, 2019, Politico reported on statements from the prosecution refuting Stone's defense:

"For example, allegations concerning the time stamps and the time signatures would be equally consistent with Russia intelligence officers using a thumb drive to transfer hacked materials among themselves after the hack took place," prosecutors wrote. "Similarly, the time zone analysis is wholly consistent with the fact that the victims were in the Eastern Daylight Time Zone, rather than providing any information regarding the location of the perpetrators." 

However, this seems to ignore the chronological order of evidence and seems to show a misunderstanding of how the Eastern timezone has been determined.

According to the evidence, files in Guccifer 2.0's NGP-VAN archive were transferred in bulk in July 2016. The speeds at which the files were transferred at that time were most consistent with a thumbdrive transfer.

Then, in September 2016, the files were sorted into new folders, the folders were archived, these archives were then moved by thumbdrive (based on the FAT-like rounding of timestamps to the nearest 2 seconds) and the contents of the thumbdrive were subsequently archived into a single file ahead of publication.

It is the archival activities that followed the bulk transfer of files by nearly two months which provides us with the Eastern timezone indication (it is determined from differences in timestamp storage conventions of the different archival programs used). This indicator did not come from the victims being on the East coast.

So, the prosecution's refutation seems to be based on a misrepresentation of the evidence.

Going further, there is also additional evidence of Guccifer 2.0 operating with Eastern timezone settings in effect that I'm not sure has been cited but that I think should be.

A file published by Guccifer 2.0 on July 6, 2016 indicates that it was modified on same day to add the name "Nguyễn Văn Thắng" to the metadata. However, this was done while Eastern timezone settings were in effect. (The version of LibreOffice that was used to edit the document has a glitch that causes local time to be recorded as though it's zulu time - this coupled with UTC time recorded elsewhere in the same DOCX container file allowed the Eastern timezone setting to be identified).

There was no mention of documents being opened and edited remotely using LibreOffice in the Netyksho indictment or Mueller's report, so, it's difficult to see how Jessie Liu or anyone else at the DOJ can attribute this to victims being in the Eastern timezone.

Once again, the indicator comes from Guccifer 2.0's own activities rather than anything relating to the location of alleged victims.

The prosecution seems to be dismissing evidence by falsely claiming it is consistent with the RussiaGate narrative where this isn't the case.