Guccifer 2 Email Time Zone

One of the major differences between Mr FOIA and Guccifer 2 is the latter’s use of email to correspond to journalists.

G2 contacted Gawker and Smoking Gun on June 15, corresponding further with Smoking Gun on June 21 and June 27. He corresponded with Vocativ on July 4-5 and with the Hill on July 11 and 14.  Both the content and metadata are available for the June 27, July 4-5, July 11 and July 14 emails. Threat Connect has been the most prominent in using email metadata in efforts to link Guccifer 2 to Russia: here, here, here.  Jeffrey Carr has been one of the most prominent critics of these metadata analyses.

In today’s post, I’m going to discuss some timestamp information that, to my knowledge, has not been previously canvassed.  The analysis turns on information from the accumulation of a chain involving different time zones. Readers of Climategate emails will recall many such chains as emails passed forth between CRU and the US.

First, here is a screenshot of an email from guccifer20@aol.fr to The Smoking Gun offering emails on Hillary Clinton’s staff.  (For orientation, this is three weeks after Trump Jr’s meeting and one week after the first memo in the Steele dossier.) It’s received at 3:43 PM Eastern (Daylight).

TSG replied a few minutes later, expressing interest, resulting in a second email from Guccifer 2 (Stephan Orphan) at 4:18 PM (Eastern).   Within the thread, there is timestamp information on the timezone of G2’s computer: Guccifer 2 received his answer from Smoking Gun at 14:46- implying his timezone is reading one hour earlier i.e. Central.

The same applies to a subsequent email, where once again the receive time for Guccifer 2 appears to be in a timezone one hour earlier (Central).

Discussion

The time zone information here is consistent with the time zone information on the cf.7z dossier. Because computer time zones can be set and reset in a few seconds, so one cannot place much weight on this.  I don’t know how far a fake timezone setting in a computer is carried forward into email headers and metadata. I’d be interested in information on this.  While this indicia seems fairly slight, other indicia used to attribute Guccifer 2 are just as slight if not worse.


39 Comments

  1. Scott Scarborough
    Posted Sep 19, 2017 at 3:24 PM | Permalink | Reply

    So if he is just one time zone away that means that he is not in Russia?

    • Posted Sep 19, 2017 at 6:14 PM | Permalink | Reply

      Actually, it’s just proves G2’s computer is set to Central time. I was wondering about the point of the Forensicator’s analysis showing the relative UTC time to the local time. It only showed G2’s computer was set for Eastern time. G2 could have been anywhere. Right?

      • Posted Sep 19, 2017 at 7:32 PM | Permalink | Reply

        Email’s HTML contains the local time of the sender’s computer setting but also records the server receipt time. In the above case it looks like it is displaying the sender’s local time which could be spoofed. The AOL server time stamp would not be able to be spoofed by G2. So if that can be obtained that would be stronger evidence of G2’s location. Although the email could have been relayed by an AOL email from another G2 email that would show in the HTML I believe.

      • Steve McIntyre
        Posted Sep 19, 2017 at 7:37 PM | Permalink | Reply

        I tried an experiment in which I changed timezone on my computer and sent an email from one account, then signed off account.

        Then changed time back to correct time, opened email account and opened. It wasn’t tricked by computer time reset. Showed correct timezone at receipt.

        Seems to exclude simple time reset as an explanation.


        • James Smyth
          Posted Sep 19, 2017 at 11:21 PM | Permalink

          The details of how any particular OS and software transfer deals with time varies widely. I would NOT take your example as representative of anything other than the specific tool you used.

          This have been my big problem w/ this sort of analysis from the beginning. The various FTP, SCP (linux, powershell, cygwin), browser GET, drag/drop clients will do almost anything you want to transform and/or preserve timestamps.

        • eloris
          Posted Sep 20, 2017 at 10:50 AM | Permalink

          If it was a gmail address and the email was sent through a browser, then I would think it would be based on where Google thinks you are. But with an Outlook client it does take the time stamp from your computer.

        • Posted Sep 21, 2017 at 5:07 AM | Permalink

          eloris, in the past, you were able to change the timezone associated with your Google account in a Settings page. If you did, it would change the timezone used in your e-mails. The result was you could send one e-mail with an east coast timezone, make one quick change then send an e-mail from a west coast timezone.

          I think Google has changed that and now assigns a timezone per device rather than per account, but I don’t know the details. Google’s configuration options have always been a mess. I’m still mad that when Google bought YouTube, it changed the display settings for people’s account names. That led to the the first time my real name was ever visible on YouTube.

  2. Posted Sep 19, 2017 at 8:45 PM | Permalink | Reply

    If the email server is creating the timezone information on the G2 email it would have shown Pacific as in the meta-data. But instead it displayed Central, which must have been G2’s computer setting.

    Trying to disprove a sophisticated state sanctioned hacker by spotting faulty meta-data might not the most productive ground for mining since any level of misdirection can be fit into that profile. OTOH, every level of sophistication that would be required for spoofing being in the USA must be married with the profile of one left very clumsy Russian fingerprints on the MS document templates, used Russian VPN and claimed to be Romanian.

    The profile G2 does not match is a WL source since the purpose of using WL is to stay hidden and leave no clues. Also G2 clearly distracts and discredits the DNC WL goals. G2 being a buffoon does not fit sophisticated state actor profile.

    What evidence keeps G2 from being a Crowdstrike hired inside job?

    The WL DNC docs do not have any clumsy or sophisticated Russian fingerprints. Doesn’t this seperate them from G2?

    Is Crowdstrike the only source of evidence for Cozy Bear(CB) and Fancy Bear(FB)?

    What is the need for Fancy Bear if CB was never expelled before FB?

    • Steve McIntyre
      Posted Sep 19, 2017 at 10:53 PM | Permalink | Reply

      Lots of questions. I’m interested in all the top-level questions, but thought it would be useful to see if anything can be gleaned from closer parsing of metadata and documents before doing so.

  3. MrPete
    Posted Sep 19, 2017 at 9:39 PM | Permalink | Reply

    There are three logical categories of timestamp involved in email metadata:
    – Sender’s timestamp
    – Intermediate server timestamps
    – Recipient mailbox timestamp

    The “Date:” header is created by the sender, based on sender computer timezone and time setting. This is easily and often incorrect, although by default today it is typically correct.

    The “Received*” headers (other than the topmost one) are created by intermediate systems and servers. New headers are always added to the top (beginning) of the list. The generic form of these, which can span several lines… Received: by (server) from (server) for (email address) (timestamp)

    Timestamps on such headers can’t be spoofed other than by inserting fake headers. (Hackers sometimes inject extra such headers, which will be at the bottom of the list. Careful parsing of who received and who sent at each step can sometimes identify such “injected” headers.)

    The final “Received*” header at the top of the list is created by the final recipient server system and reflects the timezone of the receiving mailbox/address. Normally, a user’s own computer does NOT add another header timestamp.

    Hope that helps.

    • Steve McIntyre
      Posted Sep 19, 2017 at 10:50 PM | Permalink | Reply

      Pete, the times of interest are the 14:46 in the second image and 15:45 in the third image. From your comments, I take it that these were generated by “intermediate systems and server” and thus “can’t be spoofed other than by inserting fake headers”. Have I understood correctly? Can you confirm directly?

      • anon
        Posted Sep 20, 2017 at 8:40 AM | Permalink | Reply

        No, those times are in the reply headers in the body of the email. Those were generated by the mail program, and could be modified by the user. For example, in Thunderbird, when I reply to an email, the email starts with:

        On 09/19/2017 06:40 PM, Somebody wrote:
        > content of email

        But that’s in the editable content of my email, and I could change that text if I wanted.

        The headers MrPete is talking about are in your threatconnect comment image. The various Received: lines are inserted by mail servers as mail is passed from one server to the next.

      • MrPete
        Posted Sep 20, 2017 at 11:15 PM | Permalink | Reply

        Steve, anon is basically correct.

        When I say “Headers” I am speaking of “real” headers in the raw version of the email. Not all email apps show these lines. In “raw” view they are all at the top, followed by a blank line, followed by user content.

        NONE of the material in your original post consists of these “real” headers. In your “link to metadata” reply, ONLY the second image (with “Delivered-To:” down to “Received: from mtaomg…” are “real” headers.

        Everything else is interpreted or created by the user’s email software. Note that in your post many metadata elements have been rendered in French… that’s not how the underlying system functions.

        Now, to be clear and complete: the four metadata lines in several of the displayed emails — From: To: Date: Subject: ARE normally extracted directly from the email headers. Yet particularly for times, one can’t make assumptions….

        a) Some of what you show has both time and timezone… presumably trustworthy.
        b) Some just show a time, and we don’t know what timezone. And… users can easily get timezone and/or actual time incorrect when sending.
        c) Again for completeness: if using a secure (VPN) network, the local time MUST be accurate or the VPN will not work. However, this is not all that common so I wouldn’t depend on it.

        SUMMARY

        Examining all of the emails you presented, I see a few obvious matches that make sense:
        15:43:20 -0400 … later referenced as 3:43 pm
        16:18:16 -0400 … later referenced as 4:18 pm … and in real headers as 13:18:17 -0700
        16:52:42 -0400

        Also note the email bodies incorporate TWO emails each, the one cited plus a response… so no surprise that there’s an extra timestamp in each.

  4. Nicholas
    Posted Sep 20, 2017 at 9:41 PM | Permalink | Reply

    Except for the headers added by the mail servers during transit, everything else in an e-mail can be faked. Basically, the way it works is that your PC/mail client/whatever contacts the server and gives it the e-mail itself, including the headers and body, along with a list of addresses to send it to (and probably some authentication information, to prevent spammers from using every mail server as a relay).

    With few exceptions, the mail server accepts the headers/body and passes it along as-is, after adding some extra headers; the “Received: ” headers and so on, which indicate the hops that the message took along the way.

    So you can easily fake the local time an e-mail was sent but it will be stamped by the servers it passes through.

    Doing so does require some IT knowledge. So the question is whether you’re willing to assume that this person was clever enough to get their hands on the leaked/hacked e-mails, yet not clever enough (or not aware enough) to fake the other metadata. It does require some effort to do so but not a huge amount.

    • Posted Sep 21, 2017 at 4:03 AM | Permalink | Reply

      The only caveat I would offer Nicholas is if you’re using third-party software (say, Gmail) to write your e-mails, it may impose limitations on how much you can personally modify. That’s why an experiment like that described by Steve McIntyre above may fail.

      I’ll also point out what timezone a computer that sends a mail is in hardly provides meaningful evidence of where the person using it was. It is trivially easy to set up remote connections. I could send an e-mail from a computer in Russia in which I faked the timezone in under 10 minutes.

      • Steve McIntyre
        Posted Sep 21, 2017 at 7:59 AM | Permalink | Reply

        Brandon, I agree that the nominal timezone of computers is trivially easy to alter. However, the entire attribution of Guccifer 2 seems to be based on weaker points e.g. that the username in the cut-and-pasted documents in G2’s first release was Felix Dzerzhinsky (the Russian equivalent of J. Edgar Hoover), so G2 must be Russian. Or that the Word settings in documents in G2’s first release had been set to Russian.

        If an attribution is based on such nonsense, then timezones are worth examining.

        My ultimate conclusion here is that we don’t know, not that the timezones prove anything, and that the intel community has provided zero evidence to support their attribution of Guccifer 2.

        • Posted Sep 21, 2017 at 9:05 AM | Permalink

          That’s fine, but I don’t have any interest in discussing those matters. I was just commenting because of the technical aspects involved. Network security, including forensics, is a focus of mine so I like for people to know what can and cannot be done.

          Beyond that, I’m content to let other people look at what actually was or was not done.

        • Follow the Money
          Posted Sep 21, 2017 at 2:29 PM | Permalink

          …and this one hour difference correlates with the one hour difference in the transferring of data files discussed elsewhere.

          And not at all with a Romanian or Russian time zone.

          It appears the European whiskers was only released document-metadata deep. How would a faked one hour difference help G2?

          “aol.fr” – French people actually use America On Line?

          I notice “aol.ca” does not have a French language option. Do Canadians using French regularly use aol.fr?

  5. Peter
    Posted Sep 21, 2017 at 10:42 PM | Permalink | Reply

    The clock and timezone can easily be set to anything you want. The timestamps are taken from the clock and written into files as they are opened/created/modified etc. This is pretty much how every operating system works.

    You can also overwrite those timestamps to your heart’s content too, its just a number stored on the disk, if you know where it is its trivial to just write it.

    A timestamp stored in an encrypted archive would be harder to play with as you’d need to de-crypt, change it, and re-encrypt. A secure OS could possibly make this harder to do but Windows and Linux most certainly are not.

    No idea if any of the above makes any difference to your analysis but be careful assuming that time a < time b means anything in the physical world because any 1/2 decent programmer could create those illusions.

    • Steve McIntyre
      Posted Sep 21, 2017 at 10:59 PM | Permalink | Reply

      I agree that no conclusions can be drawn from timezone to which a computer is set. This was an issue that arose in Climategate.

      Usernames can be set just as easily. Amazingly, one of the main foundations of attribution of Guccifer 2 as “Russian” is that the username in his first tranche of releases was set to Felix Dzerzhinski, the Russian equivalent of J. Edgar Hoover. I cannot imagine any sane person deducing that use of the pseudonym J. Edgar Hoover proved that the person under the pseudonym was necessarily an FBI agent, but the use of the equivalent Russian pseudonym was held to prove that Guccifer 2 was really Russian intelligence. Hard to believe, but true.

      • Posted Sep 22, 2017 at 7:54 AM | Permalink | Reply

        Who is doing such an insane thing? What do they say to justify doing it?

        • Posted Sep 22, 2017 at 9:30 AM | Permalink

          Threatconnect , a company specializing in identifying cyber threats, wrote a series of articles starting after the DNC announcement of the hack last June. The MSM base their confidence on Threatconnect’s blogs and their confidence in Crowdstrike and the blanket claim by former DNI, James Clapper, that four (not 17) intelligence agencies concur.

          The Ruusian attribution of G2 is mostly by the analysis the that the two DNC breaches, Cozy and Fancy Bear, were Russian and that G2 is associated with them, although threatconnect admits that is only one theory and it has a lot of problems. They just give the Russian attribution the most weight since all the alternative have more problems (in their mind). The possibility that a DNC head or Crowdstrike or both could by behind G2 is, of course never considered or mentioned. That possibility is apparently too outrageously conspiratorial to responsibly utter, not like Trump collusion which fits his assumed criminally reckless profile.

          We now know that Debbie Wasserman Schults (DWS) lied about the laptop found by the Capital Police in a congressional office building closet, claiming at first that it was hers and demanding return custody, and now claiming it is Awans but suing the Capital Police not to access data on it due to congressional privilege, I think it’s time to put the DNC attribution on the table. Imran Awan’s personal finances and activity looks very much like he was blackmailing DWS, and that it’s already known that Awan was sending congressional email and documents to an external site illegally. Awan was DNC chairperson DWS’s most trusted IT person. She hired him in 2005. And based on her reference Awan and his family and friends were working for about a dozen other congressional Dems. Could Awan have a hand in the DNC and/or G2 business? He had access. He was untrustwothy. He had something to hide, apparently trying to flee the country after liquidating assets to fresh cash. I wonder why the MSM is not interested in reporting on Awan?

        • Posted Sep 22, 2017 at 9:55 AM | Permalink

          Here is a full story of Awan and of smashed hard drives found in his former residence. This is the house Awan rented out, which he claimed was not in order to get a bank loan to cash out its equity. The new tenant, Andre Taggert, happened to be a US marine and found some expensive office supplies along with visibly pried open hard drives. Taggert turned them over to police. Imran Awan’s lawyer is demanding their return. I don’t know if DWS is involved in that one too. Awan’s stepmother filed a police complaint that Awan hacked her email and computer and was blackmailing her to sign over her late husband’s estate in Pakistan to him. She alleges Awan threatened he had powerful connections.

        • MikeN
          Posted Sep 22, 2017 at 1:30 PM | Permalink

          The publicly issued evidence by the government for why Russia is behind the DNC hack is very unconvincing. Motivation for Russia + CrowdStrike’s conclusions.

        • Steve McIntyre
          Posted Sep 22, 2017 at 3:23 PM | Permalink

          Brandon, I’ve been planning to write up the Russian attribution of G2 from username. It’s totally mad – even by the standards of the climate things that we’ve looked at over the years.

        • Posted Sep 22, 2017 at 3:54 PM | Permalink

          Ron Graf, to be blunt, I simply do not care about the discussion of whether or not Russia was involved with the hacking as discussed here. I certainly don’t care ab out the random segues people have tried to drag me into when I’ve attempted to discuss specific points. My view has always been the best way to address disagreements is to focus on specific details/issues, moving on after they have been clearly detailed (if not agreed upon).

          On this post, I discussed a specific point of what is technically feasible in one fork then asked a specific question in another. The question in that case was, who was making the claims we are told were being made. I asked that question partially because on another post, we were told people were making a particular claim while the only source offered to show people make that claim was an edit to ta Wikipedia article by just some guy on the internet.

          Given that and how that previous post left out highly pertinent information/details, I felt it was worth clarifying who the unnamed individuals which deserve such ridicule supposedly are. People familiar hockey stick Team and/or Stephan Lewandowsky and his apologists will recall how they would often select an argument made by a less informed/articulate/competent individual to respond to in order to pretend that was the entirety of the case against them. Another common tactic was to “paraphrase” what critics say in a way which alters their criticisms.

          That you can find people saying silly things on the internet is not very interesting. What is interesting is seeing how those silly things impact overall narratives. I think I can be forgiven for waiting until I see who says what silly things before deciding who I ought to ridicule for saying them.

      • Follow the Money
        Posted Sep 22, 2017 at 4:22 PM | Permalink | Reply

        To be precise the last name was not used. “Felix Edmundovich” was used.

        Also, G2 used “Ernesto Che” leaving out the last name “Guevara.”

        More obscure, a third he planted was “Zhu De” who was a Chinese general.

        The first was in Russian script, and the third was in Chinese.

        • Steve McIntyre
          Posted Sep 22, 2017 at 4:33 PM | Permalink

          Yes, I know the Felix Edmundovich thing but Dzerzhinsky clearer ID to English speakers.

          An overlooked fourth is : Nguyen Van Thang

        • Follow the Money
          Posted Sep 22, 2017 at 4:46 PM | Permalink

          “Nguyen Van Thang”

          I never heard of that, and I am looking forward to you writing about the subject.

          Best I can see the name matches a mid-century anti-communist leader (usually spelled “Than”), and a current member of the Vietnamese Communist Central Party.

        • Follow the Money
          Posted Sep 22, 2017 at 5:16 PM | Permalink

          If you change the spelling slightly from -g to -h, you get Nguyen Van Thanh. This was a pseudonym or possible birth name for Ho Chi Minh.

        • Steve McIntyre
          Posted Sep 22, 2017 at 6:03 PM | Permalink

          Here’s name in July 6, 2016 cut-and-paste

        • Follow the Money
          Posted Sep 22, 2017 at 6:34 PM | Permalink

          Very interesting. Looking around,the punctuation marks above the “a” in Thang and Thanh are consistently different. Therefore a cut and paste of this name from the web would likely not be related to Ho Chi Minh. So this is evidence against the idea G2 miswrote “go” for “h.” Although either way both are Vietnamese names.

          Unless he typed the name directly and Windows here automatically adds Vietnamese punctuation marks? That would surprise me.

          All very interesting; let’s see if the punctuation marks show here:

          Nguyễn Văn Thắng

          Nguyễn Văn Thành

          The wiki page for Thang warns not to confuse it for the man named Thanh.

        • Posted Sep 22, 2017 at 10:32 PM | Permalink

          For what it’s worth Follow the Money, the written Vietnamese language makes extensive use of symbols in a way that has clear meanings to people familiar with the language. There is even more than one type of symbol, hence why some letters will have two (one of each type). In English, the difference between Van Thang and Van Thanh would seem small, but the difference betten Văn Thắng and Văn Thành would be quite noticeable to people who read/speak Vietnamese.

          Someone more familiar with the language should check, but based on my crude knowledge of the langauge, I don’t think you’d normally see Văn Thàng or Văn Thắnh. They’d sound strange. Given that, it’s unlikely someone would misspell either name by just switching a “g” and “h.”

  6. Posted Sep 21, 2017 at 11:37 PM | Permalink | Reply

    Reblogged this on I Didn't Ask To Be a Blog.

  7. peter
    Posted Sep 23, 2017 at 12:18 PM | Permalink | Reply

    “I tried an experiment in which I changed timezone on my computer and sent an email from one account, then signed off account.”

    Time/date in computers/machines is almost always stored as an integer offset in seconds from some initial time/date GMT. Time zone is just a convenient offset for display purposes. By always using time/date relative to the same offset as an integer its easy to do meaningful comparisons in software without worrying about time zones, daylight savings etc.

    These integer offsets are what is stored in all the files, meta data etc. for the same reasons.

    The offset is stored in a separate piece of clock hardware which ticks it upwards even when your computer is off. This can be set by software to correct it and the operating system reads it and stores it in data associated with the files when they are opened, closed, read, written etc.

    i suspect the language R has a library of functions that interface the Linux or Windows OS functions and would give you a good idea how it works usually..

    For fun consider the problem of accuratly setting a very precise clock when told the value of another very precise clock by a computer. Its very hard to get them bang on to small numbers of nanoseconds but its necessary in many new networks.

    • Steve McIntyre
      Posted Sep 23, 2017 at 12:27 PM | Permalink | Reply

      one of the oddities of the Guccifer 2 cf.7z is that certain copy and compress operations seem to lose track of the timezone.

      • Peter
        Posted Sep 24, 2017 at 10:01 AM | Permalink | Reply

        Steve, that does not surprise me.

        Timezone is only used when you display time, rarely when you store it.

        If I perform an operation on a file then its marked as happening at a number of 100 nanoseconds increments since some well known fixed date / at 00:00:00 gmt. That is whats stored in the archives as an 8 byte integer.

        Then anybody in the world can see when the operation was performed in whatever time zone they want. If you want to know where something is done youd need some other data.

        Of course if you print it or put it in a human readable form then the local timezone will adjust what you see, and write it as an Ascii string including the local time zone. So if somebody sent you the ascii output you would know how their timezone was set when they created it. Of course it can correctly compute day of month / day of week / leap stuff too for humans.

        Software however almost always works with the common timezone and start date/time so that time comparisons are just simple integer operations.

        • Steve McIntyre
          Posted Sep 24, 2017 at 10:09 AM | Permalink

          I still don’t understand why combinations of WinRAR and 7z would result in two contemporary documents being displayed 4 hours apart.

Post a Comment

Required fields are marked *

*
*

%d bloggers like this: