THREAD: Deep dive into DCLEAKS metadata

I started working on this back in maybe 2019 and shelved it because the conclusions are curious, but not compelling, as we'll see below. I had hoped some facts might emerge that helped clarify things but they've never come along. Enough time has passed -- I'll simply share what I have in the hope that the data is useful or maybe just interesting.

Let's begin with a portrayal of events offered by @TheLlamaFiles.
jimmysllama.medium.com/the-rabbit-fil…

THREAD: a brief look at the Vaughn indexes produced by the FBI in response to a long-standing FOIA battle spearheaded by @Ty_Clevenger. At its basis, Ty asked the FBI for records that relate to the investigation of the Seth Rich murder (July 10, 2016). At first, the FBI said more/less, "We got nuttin.", but Ty continued to press. Some disclosures followed. Most recently (a few months back) the FBI has provided a "Vaughn Index" of both Seth's personal laptop and work computer. I posted a thread on the personal laptop data.

THREAD: a brief analysis of the Vaugn indexes provided by the FBI to @Ty_Clevenger in his FOIA case that relates to the Seth Rich case.

Briefly, as I understand it, Ty asked the FBI for information that might relate to their role in the investigation of the Seth Rich murder. cc: @Ty_Clevenger @with_integrity @ClimateAudit @FOOL_NELSON @realexmaple

@SamSimeonSays @ClimateAudit @JaapTitulaer @EnticingClay "I've always assumed DCLeaks was a limited hangout (by US intel or similar) to undermine the legit leaks."

Possible, since it was neutered, and left standing, it seems to serve the purposes of The Blob.

The metadata has some interesting secrets to tell. @SamSimeonSays @ClimateAudit @JaapTitulaer @EnticingClay Let's look at a DCLEAKS email rendered as HTML, in 3 parts.

First, the raw HTML.
At the top, we see "HTML Merger" which is yet another HTML manipulation tool. We see various tags like MailHeader3 and MailHeader4. These are custom headers, perhaps unique to Encryptomatic.

THREAD: did WL obfuscate the second DNC email release?

In this timeline, we see that WL made two releases of DNC emails. One just before the DNC convention (7/22/2016) and one just before the election (11/06/2016).

We'll show there is an important difference between them. The WL email releases are made up of individual EML files. Every file has a last mod time and we can arrange them in last mod time order. We might expect to see a timeline that looks like this.

In fact, the first WL release looks like this.

THREAD: is Global Relay a potential exfiltration site?

In the previous two (censored) threads I suggested that the DNC emails may have been exfiltrated from a live email mirror site, possibly maintained by a company named AppRiver.

Here, we'll explore another company ... A review (link 1/2).
threadreaderapp.com/thread/1766509…

THEAD: were the DNC emails taken from an AppRiver server?

This is a follow up to this post, where we noticed that the DNC was running two/more realtime backups of their Exchange server.

We suggested that a backup server was the source of the DNC emails.

https://x.com/tralfamadorenik/status/1766509021580632431

The plot thickens.

Forensicator noticed that incoming DNC emails were filtered by AppRiver.

theforensicator.wordpress.com/sorting-the-wi…

Thread: Were Hunter Biden's emails processed in Chile?

Hunter Biden's emails were made available as a series of ~128K individual EML files (source Marco Polo).

The filenames have this form:
20100404-030027_36374.eml
where everything to the left of the underscore is a date/time. Internal to the EML file is a Date: field. The Date value syntax is in the form that the sender sees the date/time. We can normalize that time to GMT and compare it to the date/time implied by the EML file name.

Can we estimate the time taken for a message to be sent to DAG1 vs DAG2 given the following data?

Alternatively, can we assert the level of significance that the path to DAG2 is slower than the path to DAG1? Background: In the DNC emails we see some late dated emails (149 of them) sent locally via a server named DNCDAG2; for those emails we can subtract the sent time from the received time. Unfortunately, the times are accurate only to the nearest second.

THREAD: solve the crime - how were the DNC emails taken?

In ou previous episode, we asserted that an email backup server had been hacked with Pacific/AZ time zone proximity.



Lading to the next question: how?

https://twitter.com/tralfamadorenik/status/1766509021580632431

Before we address that question directly, let's rule out a few possibilities. First, let's recall that the DNC's on site experts had no clue.

THREAD: Were the DNC emails taken from a backup server?

The Mueller Netyksho indictment asserts that the DNC emails, subsequently dumped by WikiLeaks (first on July 22, 2016) were acquired by Russian GRU agents who leveraged a hack of the DNC. The indictment is vague on details raising many questions as to how exactly the emails were acquired, ex-filtrated and then transmitted to WikiLeaks.

As we’ll see below, even the on-scene experts who investigated the incident seemed to come up empty handed.

The Unified Guccifer 2 Theory (1.0)

Recently, I had an "ah hah" moment w.r.t the timing and content of Guccifer 2's first blog post and the potential media/social network response.

It's an idea that I think may have merit, but pushing on that discovery string will be difficult. spoiler: the DNC and friends got wind that a hacker (G2) was pitching the release of some HRC related documents to The Smoking Gun (TSG) and Gawker with stories to follow ...

This thread will explore this often-discussed idea that some/all DNC were ex-filtrated by making use of credentials found on the Internet. That idea derives from this archived tweet (the original author's account was deleted. tag: @News_Views_2020, @FOOL_NELSON, @ClimateAudit, @realexmaple, @walkafyre, @TrustIsEarnd, @bleidl, @ITGuy1959, @with_integrity , @Ty_Clevenger

THREAD 22: The "Trump Server" / Alfa Bank "suspicious communications" controversy
We discuss a critical time series analysis paper that established a possible pattern of human 2-way communication. This paper was likely passed along to reporters, the Senate, and the FBI/CIA. Alfa Bank sends a demand letter to Dagon, notably requesting "White Paper Comments: Time Series Analysis of Recursive Queries". We can't quite tell if this is the seminal paper or just Dagon's comments on same.

@FOOL_NELSON @walkafyre @ProfMJCleveland @ErrataRob @ClimateAudit

THREAD: Who are the "Tealeaves folks" and why does it matter?

This is a follow up to this thread.

https://twitter.com/codyave/status/1497323436481277954

tag: @RyanM58699717 @FOOL_NELSON @ClimateAudit @ErrataRob @ProfMJCleveland @codyave @isthats75228187 In this excerpt Fritsch tells Lichtblau "These Tealeaves folks almost certainly would have been encrypted". Who is Fritsch referring to? (1) the group of researchers that we associate with Tealeaves or (2) the Trump Org cabal including Alfa and Spectrum that TL incriminates?

THREAD #20: The "Trump Server" / Alfa Bank "suspicious communications" controversy. Technical track: What can we learn from the (previously unanalyzed) duplicate entries in the DNS logs?

We find support for our preferred theory: Alfa and Spectrum were hacked/compromised. IMO, the hacks caused the Alfa and Spectrum servers to ping the "Trump Server" in a seemingly mysterious pattern.

Previously, we decoded the pattern seen in the Spectrum data. Here, we will decode the reptitive pattern generated by Alfa (alleged) hack.

Preview pop quiz. Let's say that a DDOS attack blasts out a lot of packets all at once and then waits 10 seconds before it reloads. In the meantime the packets are slowed down by a rate limiting filter and some (but not all) answers are returned back. Which scenario in the chart best fits that description?
Compare to a sequential process where a program sends some packets and within 1 sec receives results. There are problems with the result, so it waits 2 secs and tries again. Still problems, it waits 2 secs and tries again.

Puzzler ahead of next thread (which will be overall shorter and simpler, but a bit difficult to grapple with).

Tag:
@FOOL_NELSON @ClimateAudit @bleidl @RyanM58699717 @walkafyre @ErrataRob @PeterSMagnusson @sempersecurus We look at all gaps of less than 2 hours (7200 secs) and reduce their value to the next lowest 120 secs (2 mins) for the period > 7/24/2016 which is the day both Alfa and Spectrum are missing a day.

THREAD #17: The "Trump Server" / Alfa Bank "suspicious communications" controversy. Technical track: What can we learn from the record of failed lookups from a new Alfa IP address (217.12.97.137)? Tag: @FOOL_NELSON @ClimateAudit @bleidl @RyanM58699717 @walkafyre @ErrataRob @PeterSMagnusson @sempersecurus

Pop quiz ahead of the next thread.

How do we put these three pieces of info together?

@FOOL_NELSON @ClimateAudit @bleidl @walkafyre @RyanM58699717 @ErrataRob @FOOL_NELSON @ClimateAudit @bleidl @walkafyre @RyanM58699717 @ErrataRob Consider: (1) the DNS search suffix list, (2) iterative name resolution, (3) DNS name caching both positive and negative.

Things might not make sense; it didn't for me given this scarce data, but maybe you'll find something.

@FOOL_NELSON @ClimateAudit @bleidl @RyanM58699717 @walkafyre @ErrataRob

Let's look at the Alfa DNS lookup data. It is demonstrably different from the Spectrum ping data, but shares a similarity in that there is different behavior among 3 time segments. This is a composite to show the three stages. Stage 1 (prior to 6/24/2016) shares the same apparent randomness of inter-ping delays as we saw with the Spectrum data. Similarly for stage 2 and 3 we see similar shapes but stage 2 is more erratic.