Featured Post

Sorting the WikiLeaks DNC Emails

A new report analyzes the metadata associated with the DNC email collection published by WikiLeaks. The introduction and conclusions from that report are summarized below. Please refer to the report for technical details and other observations and conclusions not found in this summary.

We review the DNC email collection published by Wikileaks. We attribute each email to one of ten (10) DNC staffers. This is new research – some journalists and researchers have suggested that the WikiLeaks DNC email collection disclosed the emails of ten staffers, but this report is the first to provide detailed attribution.

We use this attribution of particular emails to DNC staffers to build an email acquisition timeline. The timeline that we develop stands at odds with statements made in the DOJ indictment of twelve (12) Russian intel (GRU) officers. The indictment timeline does not account for over two-thirds of the DNC email collection. We also observe that the indictment implies connections between various facts, but seldom makes specific definitive statements that might be derived from those facts.

For example, the indictment introduces the idea that a “1Gb or so” archive was transmitted from Guccifer 2 to WikiLeaks and gives the impression that this archive might have been the source of the WikiLeaks DNC email publications but never states this as fact. We show that this Zip file is too small to hold the entire DNC email collection, which rules it out as the source of the WikiLeaks DNC emails.

Continue reading →

Featured Post

When USB’s Fly: Recent Research Supports Forensicator’s Controversial Theory

In August of last year (2018), Forensicator came under fire for suggesting a sequence of events that might explain a one hour difference observed between the files in one of the archive files published by Guccifer 2 and another. The report that prompted the controversy was Guccifer 2.0 CF Files Metadata Analysis. The key findings that ignited a dismissive review were (emphasis added):

The last mod times of all the files in the cf.7z archive are all even multiples of two (2) seconds, indicating that this material was copied to a FAT-formatted media (e.g., a USB thumb drive) before the final cf.7z 7zip file was built from the files on that media.
The last mod times in the CF files (dated 2016-07-05) appear to be one hour earlier than those recorded in the NGP/VAN files. The Forensicator proposes a scenario where a FAT-formatted media (e.g., USB thumb drive) was written while in a location where Central US time zone settings were in force. This FAT-formatted media was then transported to a location where Eastern US time zone settings were in force. There, the material on the thumb drive was copied to an NTFS-formatted hard drive and the final (cf.7z) 7zip file was built from this copy of the files present on the hard drive. The result of this long chain of events is a series of CF files that appear to be time stamped one hour earlier than those in the NGP/VAN archive.

This finding was controversial at the time, because it advanced the idea that Guccifer 2 (or a member of Guccifer 2’s team) was (physically) operating out of the Central Time Zone (US). Further, it suggested that a USB thumb drive may have been used to effect an “air gap” transfer (a technique used to avoid surveillance and detection).

Based on recent information, the case in favor of Forensicator’s findings has strengthened. We address this new development in this report.

Continue reading →

Featured Post

Guccifer 2 Returns to the East Coast

In this post, we announce a new finding that confirms our previous work and is the basis for an update that we recently made to Guccifer 2’s Russian Breadcrumbs. In our original publication of that report, we posited that there were indications of a GMT+4 timezone offset (legacy Moscow DST) in a batch of files that Guccifer 2 posted on July 6, 2016. At the time, we viewed that as a “Russian breadcrumb” that Guccifer 2 intentionally planted.

Now, based on new information, we have revised that conclusion: The timezone offset was in fact GMT-4 (US Eastern DST). Here, we will describe how we arrived at this new, surprising conclusion and relate it to our prior work.

Continue reading →

Featured Post

Guccifer 2’s Russian Breadcrumbs

In a new report Guccifer 2’s Russian Breadcrumbs, Forensicator analyzes metadata left in the various documents that Guccifer 2 modified and then published on his WordPress blog. Some new discoveries are made, some revisited. Forensicator concludes that Guccifer 2’s consistent intent was to plant clues which connected Guccifer 2 to Russia. Except for one head fake, when Guccifer 2 was Romanian for a day.

Continue reading →

Featured Post

The Campbell Conspiracy

Recently, Duncan Campbell published an article in Computer Weekly titled: Briton ran pro-Kremlin disinformation campaign that helped Trump deny Russian links [archive]. Mr. Campbell casts a wide net, pulling various people into his story of alleged pro-Kremlin conspiracy. In this article, Forensicator will address Campbell’s sensational claims and theories about Forensicator’s identity, alliances, motives, and methods. In short, Forensicator is not a GRU operative, not Adam Carter’s alter ego, and is not a pawn in Guccifer 2’s grand game of chess.

Continue reading “The Campbell Conspiracy” →

Featured Post

Did Guccifer 2 Plant his Russian Fingerprints?

A new metadata analysis has been posted. It is the first in a series of three.

This report investigates in detail various aspects of the first five Word documents (1.doc, 2.doc, … 5.doc) that Guccifer 2 published on his WordPress.com blog site. It was widely reported that the first document, 1.doc, displayed “Russian fingerprints” (Russian error messages written in Cyrillic letters). In this report we describe how those “Russian fingerprints” became embedded inside 1.doc.

The sequence of circumstances that created these “Russian fingerprints” is sufficiently complex and unusual to raise the question: Did Guccifer 2 plant those “Russian fingerprints” intentionally?

Comments will be accepted here for the next couple of weeks. Off-topic or off-color comments will be silently filtered and ignored.

Guccifer 2’s West Coast Fingerprint

This blog entry is a place holder for reader comments. Please access the main article via this link . Comments will be open for the next couple of weeks. Off topic and off color comments will be silently ignored.

In this report, we analyze the time zone offset that was likely in force when Guccifer 2’s first five (5) Word documents were written. We also look at the time of day pattern of the “last modified” times for the 25/so documents that Guccifer 2 modified and then uploaded to his blog site.

Finally, we look at one particular Word document that Guccifer 2 uploaded, which had “track changes” enabled. From the tracking metadata we deduce the time zone offset in effect when Guccifer 2 made that change — we reach a surprising conclusion: The document was likely saved by Guccifer 2 on the West Coast, US.

Media Mishaps: Early Guccifer 2 Coverage

In this second report of a series of three, we focus on early media coverage that reported on the “Trump opposition report” (1.doc). We show that an additional sequence of circumstances/coincidences was necessary to produce the PDF’s that became the focus of early mainstream and social media coverage.

Wittingly, or not, the media served a critical role in getting the message out that there were “Russian fingerprints” inside the first document that Guccifer 2 disclosed. The media became Guccifer 2’s assistant by completing the long path from the original Trump opposition report to the final published PDF’s with Russian error messages in them (the so-called “Russian fingerprints”). We elaborate on that claim in this report.

Comments on the main report will be accepted here. Comments will be open for roughly the next two weeks. Off topic and off color comments will be silently filtered and discarded.