It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Some features of ATS will be disabled while you continue to use an ad-blocker.
And the best that Crowdstrike and FireEye could come up with is a bunch of "possibly, appears, connects, indicates".
Phishing attacks are not a tactic unique to Russia.
Add to that the Gussifer 2.0 information is bunk. Is there proof that he worked for the Russian government? If not, then it just makes him a liar.
Next, Crowdstrike characterized the groups supposedly involved as top tier groups. But suddenly this one time they get sloppy and make amateurish mistakes like leaving Cyrillic identifiers, and "accidentally" forgetting to turn a VPN on?
Or is it more likely that a paid private group found an easy payday by claiming it was the Russians.
We'll never know because the DNC, the victim of a crime, paid a private company $$$ to handle this instead of the FBI.
originally posted by: xuenchen
a reply to: theantediluvian
The Russian stuff in the Mueller "indictments" are so far unproven innuendo and display window dressing.
The fact is, the DNC refused to give the server itself to the FBI and I wonder WHY.
originally posted by: gimcrackery
Why did the DNC deny the FBI access to its server? Because it was an inside job.
a reply to: TheOne7
The GRU team was able to obtain "snapshots" of the virtual machines with DNC data sets and then move them to an account that they had set up with the same hosting service. The indictment does not name the service.
originally posted by: BlackJackal
originally posted by: watchitburn
a reply to: TheOne7
Except the actual forensic data made available would necessitate a direct download and not remote access.
Is this the forensic data you are referring to? LINK
If so, I'm sorry but this does not pass even the smell test. Maybe this guy can fool people who don't understand how computer forensics actually work, but that's about it.
So the entire interruption that the data was downloaded locally and not remotely comes from this guy William Binney a former technical director for the NSA. I have no idea why this guy would lie, and maybe he isn't lying but the data he has provided as evidence of his claim is severely lacking.
Binney says the highest transfer rate was 49.1 megabytes per second, which is much faster than possible from a remote online connection. He says some colleagues challenged this assumption and ran various tests, from the Netherlands, Albania, Belgrade and in the UK and he says, “The fastest rate we got was from a data center in New Jersey…to a data center in the UK and that was 12 megabytes per second, which is less than a fourth of the rate necessary to transfer the data, as it was listed from Guccifer 2.0…However, it is the perfect download rate for a thumb drive.” He says their findings don’t prove who did it but they do prove that the data breach was local and did not consist of an overseas hack.
Ok, so the first big read flag here is how can anyone familiar with network forensics not be able to tell the difference between network traffic (AKA remote traffic) and local USB transfers? How could he even confuse the two? They are recorded in two very different ways. Network traffic is captured by either a network device such as a gateway or a tap or an application like Wireshark. The output of that data is a PCAP file. Transfers between a USB drive and a host machine are recorded in multiple places on the host machine. None of those data stores even store transfer rates at all.
The USBSTOR located in the SYSTEM hive (SYSTEMCurrentControlSetEnumUSBSTOR) USBSTOR contains details on the vendor and brand of USB device connected, along with the serial number of the device that can be used to match the mounted drive letter, user, and the first and last connected times of the device.
The MountedDevices key (SYSTEMMountedDevices) Allows investigators to match the serial number to a given drive letter or volume that was mounted when the USB device was inserted. It’s possible that the investigator won’t be able to identify the drive letter if several USB devices have been added, since the mapped drive letter only shows the serial number for the most recently mounted device for each letter assigned.
The MountPoints2 key found in a user’s NTUSER.dat hive
(NTUSER.datSoftwareMicrosoftWindowsCurrentVersionExplorerMountPoints2) This information will reveal which user was logged in and active when the USB device was connected. MountPoints2 lists all of the device GUIDs that a particular user connected, so you might need to search through each NTUSER.dat hive on the system to identify which user connected a particular device.
The USB key in the SYSTEM hive (SYSTEMCurrentControlSetEnumUSB) This key provides investigators with vendor and product ID for a given device, but also provides the last time the USB device was connected to the system. Using the last write time for the key of the device serial number, investigators can identify the last time it was connected.
The setupapi log (ROOTWindowsinfsetupapi.dev.log for Windows Vista/7/8)(ROOTWindowssetupapi.log for Windows XP) Searching for the serial number in this file will provide investigators with information on when the device was first connected to the system in local time. Examiners must exercise caution, as unlike the other timestamps mentioned in this article which are stored in UTC, the setupapi.log stores its data in the system’s local time and must be converted to UTC to correctly match any timeline analysis being performed by the investigator.
I'm sorry, I find it incredulous to believe that any forensic analyst worth a damn would not be able to tell the difference between a USB file transfer and a network transfer. It is literally two separate mechanisms for transferring data. So, literally the only proof that this was a USB transfer and not a remote transfer of data is the word of one man. Also, I am unaware of any forensic indicator which records the speed of USB transfers.
So I am left with a couple of questions. Where and what kind of data is he referring to when he says the transfer rate was 49.1 MB/s. How did he confuse USB and Network traffic?