Guccifer 2’s West Coast Fingerprint

This blog entry is a place holder for reader comments. Please access the main article via this link . Comments will be open for the next couple of weeks. Off topic and off color comments will be silently ignored.

In this report, we analyze the time zone offset that was likely in force when Guccifer 2’s first five (5) Word documents were written. We also look at the time of day pattern of the “last modified” times for the 25/so documents that Guccifer 2 modified and then uploaded to his blog site.

Finally, we look at one particular Word document that Guccifer 2 uploaded, which had “track changes” enabled. From the tracking metadata we deduce the time zone offset in effect when Guccifer 2 made that change — we reach a surprising conclusion: The document was likely saved by Guccifer 2 on the West Coast, US.

Guccifer 2.0 NGP/VAN Metadata Analysis

A study has been added which analyzes the file metadata in a 7zip archive file, 7dc58-ngp-van.7z, attributed to the Guccifer 2 persona. The analysis is here: Guccifer 2.0 NGP/VAN Metadata Analysis.

Media Mishaps: Early Guccifer 2 Coverage

In this second report of a series of three, we focus on early media coverage that reported on the “Trump opposition report” (1.doc). We show that an additional sequence of circumstances/coincidences was necessary to produce the PDF’s that became the focus of early mainstream and social media coverage.

Wittingly, or not, the media served a critical role in getting the message out that there were “Russian fingerprints” inside the first document that Guccifer 2 disclosed. The media became Guccifer 2’s assistant by completing the long path from the original Trump opposition report to the final published PDF’s with Russian error messages in them (the so-called “Russian fingerprints”). We elaborate on that claim in this report.

Comments on the main report will be accepted here. Comments will be open for roughly the next two weeks. Off topic and off color comments will be silently filtered and discarded.

Did Guccifer 2 Plant his Russian Fingerprints?

A new metadata analysis has been posted. It is the first in a series of three.

This report investigates in detail various aspects of the first five Word documents (1.doc, 2.doc, … 5.doc) that Guccifer 2 published on his WordPress.com blog site. It was widely reported that the first document, 1.doc, displayed “Russian fingerprints” (Russian error messages written in Cyrillic letters). In this report we describe how those “Russian fingerprints” became embedded inside 1.doc.

The sequence of circumstances that created these “Russian fingerprints” is sufficiently complex and unusual to raise the question: Did Guccifer 2 plant those “Russian fingerprints” intentionally?

Comments will be accepted here for the next couple of weeks. Off-topic or off-color comments will be silently filtered and ignored.

Guccifer 2.0 CF Files Metadata Analysis

Stephen McIntyre recently noted some interesting characteristics of a 7zip archive that Guccifer 2 published back in October, 2016. McIntyre refers to the publication of a large collection of documents and data by a persona known as Guccifer 2.0, which was announced on their blog on October 4, 2016.

Building on McIntyre’s work, The Forensicator analyzes metadata for the files in Guccifer 2.0’s “Clinton Foundation” file dump (cf.7z), dated July 5, 2016 – which shared the same date as those in the NGP/VAN files previously analyzed by the Forensicator in Guccifer 2.0 NGP/VAN Metadata Analysis.

The CF file metadata analysis can be found here: Guccifer 2.0 CF Files Metadata Analysis.

Comments on that analysis can be left here; comments will close on October 3.

Corrections and Clarifications

The Forensicator fully supports the work of the VIPS (Veteran Intelligence Professionals for Sanity) and agrees with their overall recommendation that a more thorough investigation of Russian hacking claims is needed. Ideally, this investigation would share more evidence and more convincing evidence than has been provided in previously disclosed US Intelligence reports.

Some reports in the media have been critical of aspects of the VIPS report, and then by implication have transferred their criticisms to the Guccifer 2.0 NGP/VAN Metadata Analysis. In the process, those reporters have demonstrated that they likely did not carefully read the Forensicator’s analysis or were not careful in making attributions.

Continue reading “Corrections and Clarifications” →

Alternative Scenarios

When Forensicator began his review of the metadata in the NGP VAN 7zip file disclosed by Guccifer 2, he had a simple impression of how Guccifer 2 operated, based upon Guccifer 2’s own statements and observations made by a security firm called ThreatConnect. Forensicator viewed Guccifer 2 as a lone wolf hacker who lived somewhere in Eastern Europe or Russia; he used a Russian-aligned VPN service to mask his IP address.

Forensicator’s assumptions regarding Guccifer were not clearly stated, and this led to some confusion and controversy regarding claims in the report related to achievable transfer speeds over the Internet. Further, as the review process proceeded, alternative theories were suggested; they placed additional pressure on the Internet transfer speed claims and raised some additional interesting questions.

This article describes both the evolution of Forensicator’s analysis and two main alternative scenario themes that have emerged during the review process.

Continue reading “Alternative Scenarios” →

Peak (38 MB/s) Transfer Speed

In response to discussions regarding the max transfer speed of 22.6 MB/s cited in Guccifer 2.0 NGP/VAN Metadata Analysis, the Forensicator went back and took another look at the metadata and found strong evidence of peak transfer rates of approximately 38 MB/s. Although this higher peak transfer speed might not completely refute the counter-claims made by various critics (regarding transfer speeds that can be achieved over the Internet), it certainly raises the bar. Continue reading “Peak (38 MB/s) Transfer Speed” →