Guccifer 2 Returns to the East Coast

In this post, we announce a new finding that confirms our previous work and is the basis for an update that we recently made to Guccifer 2’s Russian Breadcrumbs.  In our original publication of that report, we posited that there were indications of a GMT+4 timezone offset (legacy Moscow DST) in a batch of files that Guccifer 2 posted on July 6, 2016.  At the time, we viewed that as a “Russian breadcrumb” that Guccifer 2 intentionally planted.

Now, based on new information, we have revised that conclusion: The timezone offset was in fact GMT-4 (US Eastern DST).  Here, we will describe how we arrived at this new, surprising conclusion and relate it to our prior work.

Continue reading “Guccifer 2 Returns to the East Coast” →

Advertisements

Guccifer 2’s Russian Breadcrumbs

In a new report Guccifer 2’s Russian Breadcrumbs, Forensicator analyzes metadata left in the various documents that Guccifer 2 modified and then published on his WordPress blog.  Some new discoveries are made, some revisited.  Forensicator concludes that Guccifer 2’s consistent intent was to plant clues which connected Guccifer 2 to Russia.  Except for one head fake, when Guccifer 2 was Romanian for a day.

Continue reading “Guccifer 2’s Russian Breadcrumbs” →

The Campbell Conspiracy

Recently, Duncan Campbell published an article in Computer Weekly titled: Briton ran pro-Kremlin disinformation campaign that helped Trump deny Russian links [archive].  Mr. Campbell casts a wide net, pulling various people into his story of alleged pro-Kremlin conspiracy.  In this article, Forensicator will address Campbell’s sensational claims and theories about Forensicator’s identity, alliances, motives, and methods.  In short, Forensicator is not a GRU operative, not Adam Carter’s alter ego, and is not a pawn in Guccifer 2’s grand game of chess.

Continue reading “The Campbell Conspiracy” →

Did Guccifer 2 Plant his Russian Fingerprints?

A new metadata analysis has been posted.  It is the first in a series of three.

This report investigates in detail various aspects of the first five Word documents (1.doc, 2.doc, … 5.doc) that Guccifer 2 published on his WordPress.com blog site.  It was widely reported that the first document, 1.doc, displayed “Russian fingerprints” (Russian error messages written in Cyrillic letters).  In this report we describe how those “Russian fingerprints” became embedded inside 1.doc.

The sequence of circumstances that created these “Russian fingerprints” is sufficiently complex and unusual to raise the question:  Did Guccifer 2 plant those “Russian fingerprints” intentionally?

Comments will be accepted here for the next couple of weeks.  Off-topic or off-color comments will be silently filtered and ignored.

Guccifer 2’s West Coast Fingerprint

This blog entry is a place holder for reader comments.  Please access the main article via this link .  Comments will be open for the next couple of weeks.  Off topic and off color comments will be silently ignored.

In this report, we analyze the time zone offset that was likely in force when Guccifer 2’s first five (5) Word documents were written.  We also look at the time of day pattern of the “last modified” times for the 25/so documents that Guccifer 2 modified and then uploaded to his blog site.

Finally, we look at one particular Word document that Guccifer 2 uploaded, which had “track changes” enabled.  From the tracking metadata we deduce the time zone offset in effect when Guccifer 2 made that change — we reach a surprising conclusion: The document was likely saved by Guccifer 2 on the West Coast, US.

 

Media Mishaps: Early Guccifer 2 Coverage

In this second report of a series of three, we focus on early media coverage that reported on the “Trump opposition report” (1.doc).  We show that an additional sequence of circumstances/coincidences was necessary to produce the PDF’s that became the focus of early mainstream and social media coverage.

Wittingly, or not, the media served a critical role in getting the message out that there were “Russian fingerprints” inside the first document that Guccifer 2 disclosed.   The media became Guccifer 2’s assistant by  completing the long path from the original Trump opposition report to the final published PDF’s with Russian error messages in them (the so-called “Russian fingerprints”). We elaborate on that claim in this report.

Comments on the main report will be accepted here.  Comments will be open for roughly the next two weeks.  Off topic and off color comments will be silently filtered and discarded.

Guccifer 2.0 CF Files Metadata Analysis

Stephen McIntyre recently noted some interesting characteristics of a 7zip archive that Guccifer 2 published back in October, 2016.  McIntyre refers to the publication of a large collection of documents and data by a persona known as Guccifer 2.0, which was announced on their blog on October 4, 2016.

Building on McIntyre’s work, The Forensicator analyzes metadata for the files in Guccifer 2.0’s “Clinton Foundation” file dump (cf.7z), dated July 5, 2016 – which shared the same date as those in the NGP/VAN files previously analyzed by the Forensicator in Guccifer 2.0 NGP/VAN Metadata Analysis.

The CF file metadata analysis can be found here: Guccifer 2.0 CF Files Metadata Analysis.

Comments on that analysis can be left here; comments will close on October 3.