Larry Johnson
Bill Binney
Bill and I published a piece a few weeks back that provides actual evidence that challenges the claim that “Russia hacked the DNC.” Yes, we know, the Mueller Report continues to insist that theft of emails from the DNC was done over the internet. But that conclusion rests on the opinion of third parties who offer no actual forensic evidence. We, by contrast, are offering up actual evidence that points to an alternative explanation. We do not asky you to take our word for it. Instead, we want to show you how you can test the data yourself ..
First, let’s review our key findings from the original piece:
An examination of the Wikileaks DNC files shows they were created on 23 and 25 May and 26 August respectively. The fact that they appear in a FAT system format indicates the data was transfered to a storage device, such as a thumb drive.
How do we know? The truth lies in the “last modified” time stamps on the Wikileaks files. Every single one of these time stamps end in even numbers. If you are not familiar with the FAT file system, you need to understand that when a date is stored under this system the data rounds the time to the nearest even numbered second.
We have examined 500 DNC email files stored on Wikileaks and all 500 files end in an even number—2, 4, 6, 8 or 0. If a system other than FAT had been used, there would have been an equal probability of the time stamp ending with an odd number. But that is not the case with the data stored on the Wikileaks site. All end with an even number.
(For an overview of FAT please see this link–http://www.ntfs.com/fat-systems.htm)
Here’s what you need to do to replicate what we found.:
Step One—Go to the Wikileaks DNC email database. Click here: https://wikileaks.org/dnc-emails/)
Step Two—Search the DNC database using the any word. We opted for “Clinton.”
This will produce the following results (see link https://wikileaks.org/dnc-emails/?q=Clinton&mfrom=&mto=&title=¬itle=&date_from=&date_to=&nofrom=¬o=&count=50&sort=0#searchresult)
The first message in terms of “relevance” is number 100 (i.e., DOC ID 100)
| Doc ID | Date | Subject | From | To |
| 100 | 2016-05-23 21:17:55 +0000 | POLITICO’s 2016 Blast: Bernie’s DNC concessions — Hillary Clinton’s fall preparations — Trump and Clinton get personal again — 5 Things You Need To Know | 2016blast@politico.com | kaplanj@dnc.org |
Step Three—Go to the websniffer site and direct it to “get/100”. https://websniffer.cc/?url=https://wikileaks.org/dnc-emails//get/100… This is computer speak telling the program to find message 100 (which is titled POLITICO’s 2016 Blast: Bernie’s DNC concessions — Hillary Clinton’s fall preparations — Trump and Clinton get personal again — 5 Things You Need To Know.”)
Step Four–Click on submit. That will take you to the following document:
Step Five–scroll down to the “HTTP response headers” section where you will find the “Last-Modified” timestamp.
Message 100 shows a Last Modified Timestamp of 05:22:00 GMT.
That time equates to 01:22:00 Eastern Daylight Time.
It ends in 0, an even number. Our search and analysis of all the messages from the DNCin the first Wikileaks release published July 22, 2016″ show that all end in an even number.
If you wish, you can search each of the 500 messages from the DNC that we have examined for yourself. You should get the same result. Just go to https://websniffer.cc/?url=https://wikileaks.org/dnc-emails//get/105(or any other message number you wish).
We repeat our conclusion from the original article:
The random probability that FAT was not used is 1 chance in 2 to the 500th power or approximately 1 chance in 10 to the 150th power – in other words, an infinitely high order.
This data alone does not prove that the emails were copied at the DNC headquarters. But it does show that the data/emails posted by Wikileaks did go through a storage device on the 25thof May, like a thumbdrive, before Wikileaks posted the emails on the World Wide Web.
We do not know if a person or persons with access to the DNC server accessed the emails from their home. That is possible. What is certain, however, is that email message 100 demonstrates forensic evidence that indicates the email was physically copied onto a storage device, like a thumb drive or CD-Rom, with a last modified date of 05:22:00 GMT on Wednesday the 25thof May 2016, before it was published on the Wikileaks site. The fact that these messages are in FAT format is not evidence that supports Mueller’s claim a “hack.”
Perhaps Mueller’s team of investigators turned up forensic data that proves a Russian hack. There was no such evidence, however, presented in June and July of 2016 when the initial claim was made blaming Russian intelligence operatives.
We also are confident that there was no solid forensic evidence available in January 2017 to substantiate the Intelligence Community Assessment attributing the “hack” to the Russian Government because NSA analysts only agreed that they had “moderate confidence” in that claim. We know from our prior experience in producting such assessments that if there existed actual forensic evidence, such as tracing the packets back to a server operated by the Russian Government then there would be “strong confidence” in the conclusion.
Who was the person or persons who had access to the DNC server that were copying these messages to a storage device, like a thumb drive, early in the morning on Wednesday the 25thof May? We have an opinion, but our focus is not on speculation. Let us first deal with the hard forensic evidence. We are certain of one thing—the available evidence does not support the claim that the DNC emails were “hacked” via an internet cyber attack.
The Mueller indictment of the alleged Russians who perpetrated the DNC hack is rather detailed. It lays out a detailed scenario of how the DNC e-mails were passed to Wikileaks by Guccifer 2.0 The indictment does appear to provide the evidence supporting the hack.
I’d appreciate your comments on the indictment as well as could the DNC e-mails have been recopied to a thumb drive at a later date and have the same FAT odd/even markings.
FWIW, a summary of countervailing evidence discovered by various sources relating to G2 (as of December 2018) is at: https://disobedientmedia.com/2018/12/guccifer-2-0-game-over-year-end-review/
An up to date summary of the unique types of timezone indications that fall within US timezones (for which we’ve found more types of than we have Russian) is at: http://g-2.space/ustimezones/ – The PDT timezone indicator discovery put the Russian timezone indications from embedded datastore objects (that were discovered by David Jonathan Blake) into doubt and on a screenshot released by Guccifer 2.0 showing his time to be set to GMT+3, the date format gives away the fact the OS is running with US-English locale settings (see: https://theforensicator.wordpress.com/guccifer-2s-russian-breadcrumbs/)… not sure if there are even other Russian timezone indications besides those two!?)… in comparison, we’ve got about six or seven types of indicator pointing to timezones that would line up with Pacific, Central and Eastern..
Regarding G2 being the source for the DNC emails… Forensicator’s latest article covers that scenario and rules him out for being the source, at least for the full collection because the “1gb or so” archive he apparently sent to WikiLeaks wouldn’t have been able to fit all the emails in (there was a little over 2GB of data there compressed). https://theforensicator.wordpress.com/sorting-the-wikileaks-dnc-emails/
I’ve also stripped down the article at: http://g-2.space/twotier/ to it’s key points (outlining how contrived/manufactured G2’s Russianness was and listing examples of countervailing evidence that the press seem to relentlessly ignore). It’s not quite as up to date as the other links above but it does summarize the deliberate nature of G2’s actions and then contrasts that against the countervailing evidence. It amazes me that there aren’t more people in the press and intel community questioning this considering the available evidence in aggregate.