The Campbell Coincidence

Forensicator takes issue with “tampering” claims made by Campbell, who mistakenly concludes that Guccifer 2 deliberately manipulated metadata in a 7zip archive file, called ngp-van.7z.  In a rush to judgment, Campbell thinks he sees a pattern in the data and uses this as the basis for his faulty conclusion.  Campbell missed important details and failed to review all the data.  If Campbell had been more careful, he would conclude (as Forensicator did) that there are no signs of tampering.  Thus, Forensicator’s conclusions stand – Campbell’s alternative theory has no factual basis.

Continue reading “The Campbell Coincidence” →

Transfer Rate Suggests Guccifer 2 used a Thumb Drive in the US Central Timezone

The Forensicator takes a closer at Guccifer 2’s HRC_pass.zip file and reaches the surprising conclusion that its source data was likely copied from a thumb drive, at a location somewhere in the US Central Timezone.

Continue reading “Transfer Rate Suggests Guccifer 2 used a Thumb Drive in the US Central Timezone” →

More Evidence that Guccifer 2 Planted His Russian Breadcrumbs

Newly discovered evidence suggests that Guccifer 2 deliberately planted Russian (and Romanian) language indications, but mistakenly left his system’s US/UK decimal point style settings in force. This argues against Guccifer 2 being either a native Russian (or a native Romanian).

In a previous report, Guccifer 2’s Russian Breadcrumbs, we analyzed the 40/so documents that Guccifer 2 modified and posted to his blog.  Most of those documents had Russian indications and a few of them had Romanian language settings.

In this article, we make note of an anomaly that challenges those Russian and Romanian attributions.  We observe that Guccifer 2 often used a numeric style that is not typically used in Russia or Romania; rather, this numeric style is commonly used in the United States and the UK.

Continue reading “More Evidence that Guccifer 2 Planted His Russian Breadcrumbs” →

A Closer Look at Guccifer 2’s DNC Email Attachments

Many of Guccifer 2’s DNC Email Documents Pre-Date the GRU Indictment

This blog post is a short update to our prior report, Sorting the WikiLeaks DNC Emails.  Here, we will review the metadata of seventeen (17) documents that Guccifer 2 posted on June 30, 2016 and July 6, 2016.  Those documents can be found as attachments to DNC emails published by WikiLeaks on July 22, 2016 and November 6, 2016.

Continue reading “A Closer Look at Guccifer 2’s DNC Email Attachments” →

Sorting the WikiLeaks DNC Emails

A new report analyzes the metadata associated with the DNC email collection published by WikiLeaks. The introduction and conclusions from that report are reproduced below. Please refer to the report for technical details and other observations and conclusions not found in this summary.

We review the DNC email collection published by Wikileaks. We attribute each email to one of ten (10) DNC staffers. This is new research – some journalists and researchers have suggested that the WikiLeaks DNC email collection disclosed the emails of ten staffers, but this report is the first to provide detailed attribution.

We use this attribution of particular emails to DNC staffers to build an email acquisition timeline. The timeline that we develop stands at odds with statements made in the DOJ indictment of twelve (12) Russian intel (GRU) officers. The indictment timeline does not account for over two-thirds of the DNC email collection. We also observe that the indictment implies connections between various facts, but seldom makes specific definitive statements that might be derived from those facts.

For example, the indictment introduces the idea that a “1Gb or so” archive was transmitted from Guccifer 2 to WikiLeaks and gives the impression that this archive might have been the source of the WikiLeaks DNC email publications but never states this as fact. We show that this Zip file is too small to hold the entire DNC email collection, which rules it out as the source of the WikiLeaks DNC emails.

Continue reading “Sorting the WikiLeaks DNC Emails” →

When USB’s Fly: Recent Research Supports Forensicator’s Controversial Theory

In August of last year (2018), Forensicator came under fire for suggesting a sequence of events that might explain a one hour difference observed between the files in one of the archive files published by Guccifer 2 and another.  The report that prompted the controversy was Guccifer 2.0 CF Files Metadata Analysis.  The key findings that ignited a dismissive review were (emphasis added):

• The last mod times of all the files in the cf.7z archive are all even multiples of two (2) seconds, indicating that this material was copied to a FAT-formatted media (e.g., a USB thumb drive) before the final cf.7z 7zip file was built from the files on that media.
• The last mod times in the CF files (dated 2016-07-05) appear to be one hour earlier than those recorded in the NGP/VAN files. The Forensicator proposes a scenario where a FAT-formatted media (e.g., USB thumb drive) was written while in a location where Central US time zone settings were in force.  This FAT-formatted media was then transported to a location where Eastern US time zone settings were in force.  There, the material on the thumb drive was copied to an NTFS-formatted hard drive and the final (cf.7z) 7zip file was built from this copy of the files present on the hard drive.  The result of this long chain of events is a series of CF files that appear to be time stamped one hour earlier than those in the NGP/VAN archive.

This finding was controversial at the time, because it advanced the idea that Guccifer 2 (or a member of Guccifer 2’s team) was (physically) operating out of the Central Time Zone (US).  Further, it suggested that a USB thumb drive may have been used to effect an “air gap” transfer (a technique used to avoid surveillance and detection).

Based on recent information, the case in favor of Forensicator’s findings has strengthened. We address this new development in this report.

Continue reading “When USB’s Fly: Recent Research Supports Forensicator’s Controversial Theory” →

Guccifer 2 Returns to the East Coast

In this post, we announce a new finding that confirms our previous work and is the basis for an update that we recently made to Guccifer 2’s Russian Breadcrumbs.  In our original publication of that report, we posited that there were indications of a GMT+4 timezone offset (legacy Moscow DST) in a batch of files that Guccifer 2 posted on July 6, 2016.  At the time, we viewed that as a “Russian breadcrumb” that Guccifer 2 intentionally planted.

Now, based on new information, we have revised that conclusion: The timezone offset was in fact GMT-4 (US Eastern DST).  Here, we will describe how we arrived at this new, surprising conclusion and relate it to our prior work.

Continue reading “Guccifer 2 Returns to the East Coast” →

Guccifer 2’s Russian Breadcrumbs

In a new report Guccifer 2’s Russian Breadcrumbs, Forensicator analyzes metadata left in the various documents that Guccifer 2 modified and then published on his WordPress blog.  Some new discoveries are made, some revisited.  Forensicator concludes that Guccifer 2’s consistent intent was to plant clues which connected Guccifer 2 to Russia.  Except for one head fake, when Guccifer 2 was Romanian for a day.

Continue reading “Guccifer 2’s Russian Breadcrumbs” →

The Campbell Conspiracy

Recently, Duncan Campbell published an article in Computer Weekly titled: Briton ran pro-Kremlin disinformation campaign that helped Trump deny Russian links [archive].  Mr. Campbell casts a wide net, pulling various people into his story of alleged pro-Kremlin conspiracy.  In this article, Forensicator will address Campbell’s sensational claims and theories about Forensicator’s identity, alliances, motives, and methods.  In short, Forensicator is not a GRU operative, not Adam Carter’s alter ego, and is not a pawn in Guccifer 2’s grand game of chess.

Continue reading “The Campbell Conspiracy” →

Did Guccifer 2 Plant his Russian Fingerprints?

A new metadata analysis has been posted.  It is the first in a series of three.

This report investigates in detail various aspects of the first five Word documents (1.doc, 2.doc, … 5.doc) that Guccifer 2 published on his WordPress.com blog site.  It was widely reported that the first document, 1.doc, displayed “Russian fingerprints” (Russian error messages written in Cyrillic letters).  In this report we describe how those “Russian fingerprints” became embedded inside 1.doc.

The sequence of circumstances that created these “Russian fingerprints” is sufficiently complex and unusual to raise the question:  Did Guccifer 2 plant those “Russian fingerprints” intentionally?

Comments will be accepted here for the next couple of weeks.  Off-topic or off-color comments will be silently filtered and ignored.