Time Zone of Guccifer 2 cf.7z

In a recent post, I observed that the majority of the emails in the Wikileaks DNC archive were sent AFTER Crowdstrike installed their anti-Russian software on May 6.  In today’s post, I’ll look at a metadata issue concerning Guccifer 2, who was, with “high confidence”, attributed by the US intel community to be Russian, supposedly working under the personal direction of Putin.  I’m going to look closely at document metadata in the two 7z dossiers published by Guccifer 2 in fall 2016. Neither of the two dossiers contained any documents of any relevance to the 2016 election.

Earlier this year, Forensicator observed  that the ngpvan.7z dossier showed evidence of several copying and collating operations, including a copying operation in which the modification date-times of all documents were set to a 14 minute window on July 5, 2016. From analysis of the metadata, Forensicator plausibly argued that the copy-to computer was set to Eastern time zone. Forensicator didn’t comment on the other Guccifer 2 dossier (cf.7z).

I’ve closely examined both dossiers and noticed that the time zone of the cf.7z copy-to computer appears to be one hour earlier than the time zone of the copy-to computer analysed by Forensicator i.e. Atlantic Canada time.  I am much less knowledgeable than Forensicator and similar analysts in such details and am unable to present a solution.

Forensicator’s Analysis of ngpvan.7z Time Zones

The top directory of Guccifer 2’s ngpvan.7z dossier contained 13 .rar folders, 4 .zip folders and 5 documents (pdf,png).  All .rar folders had modification dates of Sept 1, 2016 – a few days before announcement of the dossier on Sept 4, 2016 (^).  All .zip files, documents in the top directory and documents in the .rar folders had modification dates of July 5, 2016.  Forensicator, working in Pacific time zone, noticed that there was a 3 hour time difference between modification times displayed for documents within the .rar files and located in the top directory (as shown in the figure below). Forensicator explained (here) this difference as due to the following: 7z stored documents in UTC while the .rar files, constructed using WinRAR4 were in local relative time, from which he deduced that the copy-to computer of the July 5 copy operation was in Eastern time zone.

His explanation is terse. To fully understand his point in operational terms, I adjusted my computer to UTC and took equivalent observations. A file outside the RAR folders (e.g. sf3.pdf), which was displayed as 15:46 Pacific, is displayed as 22:46 UTC, reflecting the 7 hour time difference. However, a files within the RAR folders (e.g. DonorsByMM.xlsx), which was displayed as 18:51 Pacific, is now displayed as 18:51 UTC.  In other words, 7z doesn’t know the correct timezone of the RAR documents and incorrectly assumes they come from the timezone of the current user.  The timezones only match using Eastern Daylight -0400.

Forensicator’s point is unequivocally correct.  I would prefer that he not have said “we need to adjust the .7z file times to reflect Eastern Time”.  Having spent time trying to parse through this, I would have said that “we need to adjust the RAR file times”, since it is the RAR timezone that 7z gets wrong, but that doesn’t impact the correctness, importance or originality of his observations.


July 5, 2016 Copying in cf.7z

Guccifer 2’s other 7z dossier (cf.7z) was released on October 4, 2016 in a blogpost promising (but not delivering) salacious details of the Clinton Foundation.  Like the previous dossier, the documents in cf.7z are mundane administration details of the Democratic Party of Virginia (DPVA) – not even the DNC. Whereas the documents of ngpvan.7z were all extremely stale (most recent documents from 2011), cf.7z consists of documents from 2013-2016. Its most recent document is from June 1-2, 2016, but documents originating after April 2016 are very sparse.

Three directories contain documents with modification dates of July 5, 2016.  From the time gaps in the ngpvan.7z dossier, Forensicator had postulated that a much larger copying operation had taken place on July 5.  The cf.7z documents with modification dates of July 5 seem to originate from this larger copy operation – but display as exactly one hour earlier, indicating a difference in time zone display rather than a different origin. The earliest time in the ngpvan.7z dossier was 18:39; the documents in the cf.7z/OFA directory (152.6 MB) have modification times between 17:34 and 17:38, immediately preceding allowing for the postulated one hour time zone difference:

The cf.7z/Donor Research and Prospecting contains documents with modification dates ranging from March 2015 to July 5, 2016 (plus one 2011 outlier). Some documents were copied in what Forensicator called the “Windows” style, while others, including the most recent batches (dated May 23, June 6 and July 5),  were copied in what Forensicator called the “Unix” style that was used in the July 5 copy step of ngpvan.7z.  The July 5 tranche has modification times between 17:39 and 17:52, which again fit, allowing for the proposed one hour time zone difference. (Displayed time for computer set to Atlantic Canada time match perfectly.)

Documents in a third directory (the very small cf.7z/emails directory) also match, allowing for the proposed one-hour time zone difference.


It turns out that two documents in the cf.7z/Donor Research and Prospecting directory (DonorsBy MM.xls and DonorsByMM_2.xls) were also uploaded to the ngpvan.7z/DonorAnalysis directory where the postulated one hour time zone difference can be demonstated to one second accuracy. More detailed properties can be obtained by right-clicking on the files, with results for each shown below. To the nearest second, the respective copy times are shown as 17:52:00 and 18:51:59, one hour apart to the second.

There are differences in technique in the preparation of the two dossiers. Times in the cf.7z dossier appear to be rounded to the nearest minute or second, while times in the ngpvan.7z are chopped off. Thus a file with a time of ending in 59.6 seconds would be rounded in one case, chopped in the other. One archive used a LZMA2:26 method, while the other used m3:22. The ngpvan.7z archive mentions Win32, not mentioned for cf.7z.

Conclusion and Question

It seems certain to me that the DonorsByMM_2.xlsx document in each archive originated in a single copy operation with metadata differences arising from later processing. The timezone of the cf.7z dossier has somehow been set one hour earlier than the time zone of the ngpvan.7z dossier, which Forensicator deduced as Eastern North America. This implies Central time zone. In addition, somewhat different techniques were used in the preparation of the two dossiers. I don’t know enough of the details of the copy operations to diagnose further and would welcome any ideas.


[Update Sep 19- removed an incorrect speculation on upload to mediafire, which reflected my location not anyone else’s]

Climate Audit

Dear friends of this aggregator

  • Yes, I intentionally removed Newsbud from the aggregator on Mar 22.
  • Newsbud did not block the aggregator, although their editor blocked me on twitter after a comment I made to her
  • As far as I know, the only site that blocks this aggregator is Global Research. I have no idea why!!
  • Please stop recommending Newsbud and Global Research to be added to the aggregator.

Support this site

News Sources

Source Items
WWI Hidden History 50
Grayzone Project 119
Pass Blue 180
Dilyana Gaytandzhieva 14
John Pilger 416
The Real News 367
Scrutinised Minds 29
Need To Know News 2408
FEE 4435
Marine Le Pen 323
Francois Asselineau 25
Opassande 53
HAX on 5July 220
Henrik Alexandersson 847
Mohamed Omar 356
Professors Blog 10
Arg Blatte Talar 40
Angry Foreigner 18
Fritte Fritzson 12
Teologiska rummet 32
Filosofiska rummet 104
Vetenskapsradion Historia 151
Snedtänkt (Kalle Lind) 214
Les Crises 2655
Richard Falk 158
Ian Sinclair 101
SpinWatch 59
Counter Currents 8810
Kafila 433
Gail Malone 37
Transnational Foundation 221
Rick Falkvinge 94
The Duran 9470
Vanessa Beeley 93
Nina Kouprianova 9
MintPress 5570
Paul Craig Roberts 1662
News Junkie Post 58
Nomi Prins 27
Kurt Nimmo 191
Strategic Culture 4673
Sir Ken Robinson 20
Stephan Kinsella 93
Liberty Blitzkrieg 842
Sami Bedouin 64
Consortium News 2568
21 Century Wire 3477
Burning Blogger 324
Stephen Gowans 85
David D. Friedman 150
Anarchist Standard 16
The BRICS Post 1507
Tom Dispatch 503
Levant Report 18
The Saker 4149
The Barnes Review 517
John Friend 453
Psyche Truth 152
Jonathan Cook 145
New Eastern Outlook 3799
School Sucks Project 1768
Giza Death Star 1852
Andrew Gavin Marshall 15
Red Ice Radio 606
GMWatch 2200
Robert Faurisson 150
Espionage History Archive 34
Jay's Analysis 920
Le 4ème singe 90
Jacob Cohen 206
Agora Vox 14803
Cercle Des Volontaires 431
Panamza 2106
Fairewinds 116
Project Censored 928
Spy Culture 502
Conspiracy Archive 76
Crystal Clark 11
Timothy Kelly 553
PINAC 1482
The Conscious Resistance 799
Independent Science News 76
The Anti Media 6584
Positive News 820
Brandon Martinez 30
Steven Chovanec 61
Lionel 291
The Mind renewed 439
Natural Society 2619
Yanis Varoufakis 964
Tragedy & Hope 122
Dr. Tim Ball 114
Web of Debt 141
Porkins Policy Review 408
Conspiracy Watch 174
Eva Bartlett 591
Libyan War Truth 321
DeadLine Live 1910
Kevin Ryan 62
Aaron Franz 225
Traces of Reality 166
Revelations Radio News 121
Dr. Bruce Levine 142
Peter B Collins 1533
Faux Capitalism 205
Dissident Voice 10504
Climate Audit 222
Donna Laframboise 424
Judith Curry 1119
Geneva Business Insider 40
Media Monarchy 2313
Syria Report 78
Human Rights Investigation 91
Intifada (Voice of Palestine) 1685
Down With Tyranny 11556
Laura Wells Solutions 43
Video Rebel's Blog 429
Revisionist Review 485
Aletho News 19954
ضد العولمة 27
Penny for your thoughts 2949
Northerntruthseeker 2330
كساريات 37
Color Revolutions and Geopolitics 27
Stop Nato 4703 Blog 2997 Original Content 6797
Corbett Report 2296
Stop Imperialism 491
Land Destroyer 1175
Webster Tarpley Website 1083

Compiled Feeds

Public Lists

Title Visibility
Funny Public