The bit about Cyrillic text originally struck me as unimportant.
Nicholas Grossman
12

I was talking about error messages in Russian (Exhibit B, broken links), not metadata. It’s not hard to fake, but hard to guess to fake it. Faking an improbable event (such as a broken link) is improbable.

A closer examination of the Forensicator “analysis”. (Spoiler: the “analysis” happened to be bullshit, not incompetency)

I decided to reproduce his actions according to the Forensicator blog post.

  1. Initially, it struck me as really odd that the blogger ran both Windows and Linux commands (over Cygwin) on a Windows machine. He seems to be an admin level Linux user (or is he?), however, he wouldn’t use Linux; moreover, he doesn’t specify “I did it on Windows” but it goes without saying like for people who use only Windows. He suggests to install Cygwin to run the Linux commands, but there is no evidence he ran those Linux commands himself, and his lingvo implies he probably didn’t. It’s also funny that the “skilled admin” inserts the result into Excel for analysis (using a bash script to trim digits that don’t fit, weird)…
  2. To reproduce his analysis I downloaded the source from the link he’d provided and unpacked it on a Linux box. His first Linux command ran fine. His second command looks like he copied and pasted a piece of a bash file, screwed up pasting it and wouldn’t notice. With the rest of the post being very thorough, it points to somebody ignorant and unskilled. OK, I fixed and ran it.
  3. After that our versions have parted ways. I’ve got a short list of files, with mostly .rar files, which was the original directory but sorted by timestamp. But his list included ALL files magically unpacked from those archives, which files he uses to determine the speed.
  4. Then, after having included those archived files into the speed analysis, he talked about opening the archives... He acknowledges that those files were collected into working directories residing in an NTFS (Windows) system, which is stopping short from saying “those files were copied locally” (hence the speed calculated was the copying speed, not transfer). This is cheating.
  5. (optional) I find the “rebooted from a Linux USB drive” really adorable. He assumes that somebody created a Linux boot drive, changed BIOS settings and such. Yet, he’s got a strange amnesia about his favourite Cygwin shell which would work to the same effect.
  6. (optional) I can’t shake off this strange impression that the “researcher” worked it backwards — from the place of already knowing the details. As I downloaded the files and looked at the directory, it looked pretty self-explanatory, the hacker first created the archives, then shipped those. Why inventing an alternative reality? The details are used here… to confuse. It’s a weird and poorly written post for somebody who tries to reproduce it from a technical standpoint, but it’s an excellent post to convince and confuse readers.
  7. UPD: more analysis.

From how it’s written, I believe, there were at least 2 people involved into writing the post. The first one was a Linux user who wrote the scripts, ran them and passed the result and instructions to the second person. The second one was a Windows user, inserted the result into spreadsheets, took screenshots on his machine and wrote the post itself following the instructions.

And there were other people… The post was published on July 9, 2017 (which was Sunday), with the blog itself probably created around the same time as it’s devoted only to this topic. But the news about the post spread so fast that on the same day, July 9, there was an article about it published on a conspiracy website called “disobedientmedia”, domain name registered in December 2016 (who managed to fund themselves to the amount of $355 within 4 months, less than $90 per month, but they don’t seem to worry about money and keep working). It was written by Elizabeth Vos from Western Australia (same social media circles as Caitlin Johnstone, another Australian). The document is claimed to be supplied by Adam Carter from the UK (it’s amazing how they all 3 worked in unison, being all 3 in different time zones around the globe — US West coast, UK, Australia) who has his own part and site, domain name registered in February 2017. He seems to have devoted his life to debunking in various ways the “myth of Russian hacking” and pasionately hating the US Democrats and media. He’s mostly working on Twitter, the account registered in March 2016. But his tweeting activity was on vacation for about 6 months in August 2016 — January 2017, until the site was created in February. His previous binge tweeting was much shorter — for about a week in July 2016 promoting the DNC leak and the “rigged election” narrative. Go figure. Interesting, that he started those series on July 21, a day before the leak…

They are amazing people. I have to admit I don’t know the first thing about Australian politics and only a couple of names from the British one, leave it alone I’ve zero emotion about them.