In this post, we announce a new finding that confirms our previous work and is the basis for an update that we recently made to Guccifer 2’s Russian Breadcrumbs. In our original publication of that report, we posited that there were indications of a GMT+4 timezone offset (legacy Moscow DST) in a batch of files that Guccifer 2 posted on July 6, 2016. At the time, we viewed that as a “Russian breadcrumb” that Guccifer 2 intentionally planted.
Now, based on new information, we have revised that conclusion: The timezone offset was in fact GMT-4 (US Eastern DST). Here, we will describe how we arrived at this new, surprising conclusion and relate it to our prior work.
A month/so after publication, Stephen McIntyre (@ClimateAudit) replicated our analysis. He ran a few experiments and found an error in our original conclusion.
We mistakenly interpreted the last modified time that LibreOffice wrote as “2015-08-25T23:07:00Z” as a GMT time value. Typically, the trailing “Z” means “Zulu Time“, but in this case, LibreOffice incorrectly added the “Z”. McIntyre’s tests confirm that LibreOffice records the “last modified” time as local time (not GMT). The following section describes the method that we used to determine the timezone offset in force when the document was saved.
LibreOffice Leaks the Time Zone Offset in Force when a Document was Last Written
Modern Microsoft Office documents are generally a collection of XML files and image files. This collection of files is packaged as a Zip file. LibreOffice can save documents in a Microsoft Office compatible format, but its file format differs in two important details: (1) the GMT time that the file was saved is recorded in the Zip file components that make up the final document and (2) the document internal last saved time is recorded as local time (unlike Microsoft Word, which records it as a GMT [UTC] value).
If we open up a document saved by Microsoft Office using the modern Office file format (.docx or .xlsx) as a Zip file, we see something like the following.
LibreOffice, as shown below, will record the GMT time that the document components were saved. This time will display as the same value independent of the time zone in force when the Zip file metadata is viewed.
For documents saved by LibreOffice we can compare the local “last saved” time recorded in the document’s properties with the GMT time value recorded inside the document (when viewed as a Zip file). We demonstrate this derivation using the file named potus-briefing-05-18-16_as-edits.docx that Guccifer 2 changed using LibreOffice and then uploaded to his blog site on July 6, 2016 (along with several other files).
Above, we calculate a time zone offset of GMT-4 (EDT) was in force, by subtracting the last saved time expressed in GMT (2016-07-06 17:10:58) from the last saved time expressed as local time (2016-07-06 13:10:57).
We’ve Been Here Before
The Eastern timezone setting found in Guccifer 2’s documents published on July 6, 2016 is significant, because as we showed in Guccifer 2.0 NGP/Van Metadata Analysis, Guccifer 2 was likely on the East Coast the previous day, when he collected the DNC-related files found in the ngpvan.7z Zip file. Also, recall that Guccifer 2 was likely on the East Coast a couple of months later on September 1, 2016 when he built the final ngpvan.7z file.
We believe that in all three cases Guccifer 2 was unlikely to anticipate that this Eastern timezone setting could be derived from the metadata of the documents that he published. However, one vocal critic with significant media reach objected to our East Coast finding as it related to our analysis of the ngpvan.7z file. This critic concluded instead that Guccifer 2 deliberately planted that clue to implicate a DNC worker who would die under suspicious circumstances a few days later on July 10, 2016.
Further, this critic accused the Forensicator (and Adam Carter) of using this finding to amplify the impact of Forensicator’s report in an effort to spread disinformation. He implied that Forensicator’s report was supplied by Russian operatives via a so-called “tip-off file.” The Forensicator addresses those baseless criticisms and accusations in The Campbell Conspiracy.
Now, we have this additional East Coast indication, which appears just one day after the ngpvan.7z files were collected. This new East Coast indication is found in a completely different group of files that Guccifer 2 published on his blog site. Further, this East Coast finding has its own unique and equally unlikely method of derivation.
If we apply our critic’s logic, what do we now conclude? That Guccifer 2 also deliberately planted this new East Coast indication? To what end?
We wonder: Will this new evidence compel our out-spoken critic to retract his unsubstantiated claims and accusations?
Closing Thought
The Forensicator 