A closer examination of the Forensicator “analysis”, conclusion. The beginning.

Reconstructing the hacker’s actions.

My last step was to reproduce what the hacker had done on the hacked machine (I did it manually with a couple of folders as it was pretty obvious, but I may write a full script one day). The Forensicator left plenty of cues for readers what tools to use such as Cygwin and WinRAR 4. I also temporarily changed my system time zone to EDT, anybody can do that without physically moving to the East Coast. Cygwin allows to use the “cp” Linux command and the timestamps would be consistent with what we see. The hacked machine had EDT time settings and WinRAR 4 would record them when creating a RAR archive.

Note: the hacker didn’t really have to use a Cygwin shell, just some drivers (I performed those automated operations myself for work) and perform a full installation of WinRAR 4, just use some code. It’s notable that the hacker wouldn’t use the newer version 5 released in 2013, but the old one from 2011–2012 (that “DNC employee” who presumably booted Linux from a USB stick must’ve been really sloppy installing the old version, leave it alone it’s a Windows program). I wonder what Eugene Roshal (the author of RAR and WinRAR) and his brother Alexander (the copyright owner) think of it. Did they voluntarily provide the old codebase or their code was reverse engineered and stolen from them?

Looking closely at the timestamps in the folders (after adjusting the top folder for the time difference +3 hours, the script came useful) we can reconstruct the hacker’s actions.

1. On July 5, 2016 the hacker collected and copied the files using Cygwin drivers installed on the hacked machine. It might’ve been either an initial copy, or transitional, the folders copied over or initially created and files collected into them. It was most likely done automatically, using a script.
2. On September 1, 2016 the hacker created the .rar archives with WinRAR/RAR 4, with the program option to remove the initial files. One thing about the folders is that ALL are modified on September 1, 2016, but with ALL files inside being from July 5, 2016. The sequence of dates goes as “nested folders modified” -> “then the root folder modified” -> “then the archive modified”, for all .rar archives but two (more about it later). I would explain it that the script performed some cleaning job scanning through every folder, such as removing temporary or hidden files (I had experience with this stuff myself, some programs and systems inadvertently create garbage in folders).
3. 3 hours later the hacker came back and modified the last 2 archives, either added or removed files, or whatever (the two folders have been modified at the same time as the rest, but the corresponding archive timestamps are 3 hours later). Why is it important? It shows that the the operation has been performed in a few steps, not atomic. It would be really strange for a hacker to transfer the data, then come back 3 hours later and modify a couple of archives. Leave it alone, those probably got deleted after the transfer.
4. Either at this point or later the data was transferred to the hacker.