A closer examination of the Forensicator “analysis”, continued. The beginning.
I discussed the blog post with another engineer and we discovered more stuff.
- The command for remote copying is not “cp” but “scp”, “cp” is a local command, duh. So, it’s like “I prove that the copy was local by assuming it was local”.
- The claim that the modified times are clustered within 14 minutes is not true, simply because there is a 3 hour gap. Check the image from the blog post:
Look at the part highlighted in yellow, the bottom 3 items — “newmedia.rar” modified at 9:56 AM while the 2 files below are modified at 12:54 pm.
3. My colleague found calculating and subtracting some “gap times” unconvincing, “let’s take 14 minutes and subtract 13”.
4. I initially found it a bit strange that the hacker wouldn’t use Windows compression tools to create .zip archives or Linux archiving tools, instead creating .rar, but I disregarded it. RAR format is created in Russia, but so what? This is a good format, I use it myself. However, the blogger keeps insisting on using the WinRAR program (which is another product of the same Russian developer) to open those archives, while default tools work just fine. He’s used the word “WinRAR” 6 times in the post. And mind you, it’s free to try, but this is still commercial software.
5. The claim that the .rar files get local not UTC timestamps when using WinRAR 4.x is valid, I verified it. The bug was fixed in version 5.x. However… wait a minute, the blogger recommends WinRAR to open the archives, but how does he know that the hacker used this program to create them? He’s also sure it was Windows (yes, the hacked machine) and uses interchangeably the names “RAR” (format) and “WinRAR” (an archive manager) like it’s the same thing (which would be very strange for a very competent person who knows all fine details). He talks like he KNOWS the details very well, that the files were copied at the same time (they could’ve been copied earlier or later in a different time zone) and what software has been used by the hacker. Oops.
