The Campbell Conspiracy

Recently, Duncan Campbell published an article in Computer Weekly titled: Briton ran pro-Kremlin disinformation campaign that helped Trump deny Russian links [archive]. Mr. Campbell casts a wide net, pulling various people into his story of alleged pro-Kremlin conspiracy. In this article, Forensicator will address Campbell’s sensational claims and theories about Forensicator’s identity, alliances, motives, and methods. In short, Forensicator is not a GRU operative, not Adam Carter’s alter ego, and is not a pawn in Guccifer 2’s grand game of chess.

Continue reading “The Campbell Conspiracy” →

Did Guccifer 2 Plant his Russian Fingerprints?

A new metadata analysis has been posted. It is the first in a series of three.

This report investigates in detail various aspects of the first five Word documents (1.doc, 2.doc, … 5.doc) that Guccifer 2 published on his WordPress.com blog site. It was widely reported that the first document, 1.doc, displayed “Russian fingerprints” (Russian error messages written in Cyrillic letters). In this report we describe how those “Russian fingerprints” became embedded inside 1.doc.

The sequence of circumstances that created these “Russian fingerprints” is sufficiently complex and unusual to raise the question: Did Guccifer 2 plant those “Russian fingerprints” intentionally?

Comments will be accepted here for the next couple of weeks. Off-topic or off-color comments will be silently filtered and ignored.

Guccifer 2’s West Coast Fingerprint

This blog entry is a place holder for reader comments. Please access the main article via this link . Comments will be open for the next couple of weeks. Off topic and off color comments will be silently ignored.

In this report, we analyze the time zone offset that was likely in force when Guccifer 2’s first five (5) Word documents were written. We also look at the time of day pattern of the “last modified” times for the 25/so documents that Guccifer 2 modified and then uploaded to his blog site.

Finally, we look at one particular Word document that Guccifer 2 uploaded, which had “track changes” enabled. From the tracking metadata we deduce the time zone offset in effect when Guccifer 2 made that change — we reach a surprising conclusion: The document was likely saved by Guccifer 2 on the West Coast, US.

Media Mishaps: Early Guccifer 2 Coverage

In this second report of a series of three, we focus on early media coverage that reported on the “Trump opposition report” (1.doc). We show that an additional sequence of circumstances/coincidences was necessary to produce the PDF’s that became the focus of early mainstream and social media coverage.

Wittingly, or not, the media served a critical role in getting the message out that there were “Russian fingerprints” inside the first document that Guccifer 2 disclosed. The media became Guccifer 2’s assistant by completing the long path from the original Trump opposition report to the final published PDF’s with Russian error messages in them (the so-called “Russian fingerprints”). We elaborate on that claim in this report.

Comments on the main report will be accepted here. Comments will be open for roughly the next two weeks. Off topic and off color comments will be silently filtered and discarded.

Guccifer 2.0 CF Files Metadata Analysis

Stephen McIntyre recently noted some interesting characteristics of a 7zip archive that Guccifer 2 published back in October, 2016. McIntyre refers to the publication of a large collection of documents and data by a persona known as Guccifer 2.0, which was announced on their blog on October 4, 2016.

Building on McIntyre’s work, The Forensicator analyzes metadata for the files in Guccifer 2.0’s “Clinton Foundation” file dump (cf.7z), dated July 5, 2016 – which shared the same date as those in the NGP/VAN files previously analyzed by the Forensicator in Guccifer 2.0 NGP/VAN Metadata Analysis.

The CF file metadata analysis can be found here: Guccifer 2.0 CF Files Metadata Analysis.

Comments on that analysis can be left here; comments will close on October 3.

Corrections and Clarifications

The Forensicator fully supports the work of the VIPS (Veteran Intelligence Professionals for Sanity) and agrees with their overall recommendation that a more thorough investigation of Russian hacking claims is needed. Ideally, this investigation would share more evidence and more convincing evidence than has been provided in previously disclosed US Intelligence reports.

Some reports in the media have been critical of aspects of the VIPS report, and then by implication have transferred their criticisms to the Guccifer 2.0 NGP/VAN Metadata Analysis. In the process, those reporters have demonstrated that they likely did not carefully read the Forensicator’s analysis or were not careful in making attributions.

Continue reading “Corrections and Clarifications” →

Alternative Scenarios

When Forensicator began his review of the metadata in the NGP VAN 7zip file disclosed by Guccifer 2, he had a simple impression of how Guccifer 2 operated, based upon Guccifer 2’s own statements and observations made by a security firm called ThreatConnect. Forensicator viewed Guccifer 2 as a lone wolf hacker who lived somewhere in Eastern Europe or Russia; he used a Russian-aligned VPN service to mask his IP address.

Forensicator’s assumptions regarding Guccifer were not clearly stated, and this led to some confusion and controversy regarding claims in the report related to achievable transfer speeds over the Internet. Further, as the review process proceeded, alternative theories were suggested; they placed additional pressure on the Internet transfer speed claims and raised some additional interesting questions.

This article describes both the evolution of Forensicator’s analysis and two main alternative scenario themes that have emerged during the review process.

Continue reading “Alternative Scenarios” →