Guccifer 2’s Russian Breadcrumbs

Guccifer 2’s Russian Breadcrumbs

In this report, Forensicator analyzes metadata left in the various documents that Guccifer 2 modified and then published on his WordPress blog.  Some new discoveries are made, some revisited.  Forensicator concludes that Guccifer 2’s consistent intent was to plant clues which connected Guccifer 2 to Russia.  Except for one head fake, when Guccifer 2 was Romanian for a day.

Introduction

This report builds on two previous articles: Did Guccifer 2 Plant his Russian Fingerprints? and Media Mishaps: Early Guccifer 2 Coverage.  In those reports we analyze Guccifer 2’s first batch of documents that were published on his WordPress blog.  We demonstrate that Guccifer 2 likely planted his “Russian fingerprints” into those documents.  Those “Russian fingerprints” were widely covered by mainstream media and provided circumstantial support for the idea that Guccifer 2 was in fact a Russian operative (or a team of operatives), in spite of his rather clumsy attempts to cover his tracks.

We introduce our conclusions and results first.  Following that material is the detailed analysis that provides the factual basis for the conclusions.  Those details may be primarily of interest to other researchers and to those who are more technically inclined.

The Guccifer 2 Narrative

In this report, we take the position that most of Guccifer 2’s metadata modifications were deliberate.  Our position is at odds with mainstream media’s recital of events.

The MSM narrative, as best we understand it, is that Guccifer 2 initially slipped up — disclosing documents that were last saved using a user id written in Cyrillic; that user id made reference to a famous Russian spy chief.

Further, Guccifer 2’s first document, which he shared with two media outlets had Russian error messages embedded in the PDF’s that those media outlets published.  These error messages became known as Guccifer 2’s “Russian fingerprints”, presumably left behind by accident.  In Did Guccifer 2 Plant his Russian Fingerprints? we demonstrate that the process which Guccifer 2 likely used to plant those Russian error message was complex and deliberate.

An important point to make here is that Guccifer 2 modified 36 documents, published in several batches, and several of the batches have metadata that can be linked to Russia.  Guccifer 2 often made minimal changes to a document apparently with no rhyme or reason; yet, Russian indications were often the only tangible result that those changes had in common.  Guccifer 2 explained away his document tweaks as simply a result of his desire to plant his hacker “water mark” (signature).  The media accepted this explanation and viewed it as a clumsy (and obvious) effort to cover his initial (alleged) mistakes.  We have a different opinion.  We think that Guccifer 2’s main intent was to implant metadata that implicates Russia.

A point that is often lost in the flurry of details swirling around Guccifer 2 is that a metadata change will only “stick” if something in the document is modified and then that document is saved.  This fact explains Guccifer 2’s tendency to make minimal changes to the documents that he tweaked.  For the documents that we can compare to attachments in Wikileaks emails, we see that Guccifer 2 often just added some white space, modified a header/footer, and so on.  In a typical scenario, these small changes were enough to convince the application (e.g., Microsoft Word) to record the “last saved by” user id (Guccifer 2’s “water mark”) and to record the current language setting in each modified document’s metadata.  Although the media outlets focused on Guccifer 2’s quirky user id’s, we think that the real goal was to plant more meaningful metadata.

Is Guccifer 2 Clumsy or Cunning?

In an article that came out in Motherboard (on June 16, 2016) a day after Guccifer 2 first appeared, ‘Guccifer 2.0’ Is Likely a Russian Government Attempt to Cover Up Its Own Hack [archive], Lorenzo Franceschi-Bicchierai (@lorenzofb) summarizes the circumstantial evidence that linked Guccifer 2 to Russia and Russia to the Trump campaign.  Motherboard will later interview Guccifer 2 and continue to cover his activities extensively.

The Motherboard article raises the question that we keep banging into as we analyze Guccifer 2’s long trail of breadcrumbs (emphasis added).

Could all these breadcrumbs have been left on purpose? Of course, but then the explanation would be that someone has done an awful lot of work to leave evidence pointing to Russia in a blog post where he or she was claiming to have nothing to do with Russia.

As we have shown in our previous reports (and this one), Guccifer 2 did indeed make a concerted effort to strew breadcrumbs that linked his activities to Russia.  In fact, the clues listed in the Motherboard article will prove to be just the tip of the iceberg.

Yet, in just one day, on the basis of flimsy evidence (such as Guccifer 2’s use of a “Russian smiley” in his blog post), the media was quick to conclude that Guccifer 2 was a team of Russian spies.

“Given the evidence in the docs only, it’s a weak attribution to a group in Russia,” Pwn All The Things [Matt Tait] told Motherboard in an online chat. “Given the evidence combined with everything else, I think it’s a strong attribution to one of the Russian intelligence agencies.”

New Metadata Discoveries

Based on our recent research, we have made some new discoveries that have so far gone unreported by the mainstream media and by the various computer security pundits who reported on aspects of Guccifer 2’s activities.

In the modern Microsoft Word format (.docx) documents that Guccifer 2 modified, we noticed the presence a themeFontLang property that can be found in the document’s word/settings.xml component.  This themeFontLang property tells us the language settings that were in force when the document was saved.  From this value, we found indications of both Russian and Romanian language settings.  Note: the Romanian language settings are relevant because Guccifer 2 initially claimed to be a Romanian hacker.

The language settings that were in force when Microsoft Excel spreadsheets (both the legacy .xls and modern .xlsx formats) were saved can be determined from the HeadingPairs property.  That property is found in the docProps/app.xml component of modern (.xlsx) spreadsheets.  We discovered the presence of Russian language settings in several of the spreadsheets that Guccifer 2 modified.

Guccifer 2 used LibreOffice to modify and save a batch of documents published on July 6, 2016.  LibreOffice surprisingly discloses the timezone offset in force when documents were saved.  All the documents in this batch indicate that a GMT-4 timezone offset (US EDT) was in force when the documents were saved.

Guccifer 2 generally modified modern (.docx and .xlsx) Office documents and posted those to his blog.  He also modified and published one legacy (.xls) spreadsheet and one legacy (.doc) Word document.  Legacy Office documents record the version of Windows that was installed when the documents were saved.  We use this information to determine that Windows 8 was installed on one system used by Guccifer 2 and Windows 7 was installed on the other.

In one of his last blog posts, on October 18, 2016, Guccifer 2 published three screenshots of emails (that appear to be linked to the DNC).  A close reading of the header information in those screenshots indicates that they were viewed (by Guccifer 2) on a system with a GMT+3 timezone offset setting.  Moscow, Ukraine, and Central Europe would have all used a GMT+3 timezone offset during the summer of 2016.

In Guccifer 2’s West Coast Fingerprint, we analyzed a “track changes” entry that Guccifer made in a Word document published in his second batch of documents on June 18, 2016.  Our analysis led to the rather surprising conclusion that the file had been modified and then saved on a system that had GMT-7 time settings in force.  During the summer of 2016, a GMT-7 timezone offset applied to all areas using Pacific Daylight Saving Time (PDT).

While researching this report, we discovered another file modified by Guccifer 2 that has a “track changes” entry with the same GMT-7 indication.  That file was found in a different batch of files published on June 30, 2016.

When we first saw only a single file with this GMT-7 indication we wondered if this might be the result of a mistake or oversight made by Guccifer 2?  Now that we have discovered two files with this PDT indication, each uploaded on a different date, we decided to dig a little deeper.  We discuss some possible explanations in a following section.

Guccifer 2’s Metadata Mosaic

The following table summarizes all the metadata indications that we have found (to date) in the 36 files that Guccifer tweaked.  Times shown are in GMT.  The email screenshots (.png files) reflect the time that they were uploaded to Guccifer 2’s blog.

Above, we see five (5) batches of documents that Guccifer 2 either modified (Word documents and spreadsheets) or created (email screen shots).  The “RU” entries that are in light red and the timezone offsets of GMT+3 and GMT+4 in bright red can be clearly identified as indications of possible Russian origin.

The GMT-4 (US EDT) timezone offset is found in a batch of documents that were edited with LibreOffice that were published on July 6, 2016.  Originally, our research indicated that those documents were written on a system with a GMT+4 timezone offset setting, but our interpretation was in error. We failed to notice that LibreOffice misreports the last saved time as GMT time, when in fact it is local time.  A fellow researcher, Stephen McIntyre spotted the error and we have updated this report accordingly.  We discuss the implications of this EDT finding in a following section.

The batch of Word files dated June 30, 2016 all have Romanian (“RO”) language settings (in light orange).  This has gone unnoticed in mainstream reporting.  Recently, an anonymous blogger (Winston Smith) noticed this setting, but not in the broader context shown above.  We discuss Smith’s findings in a following section.

The entries marked “EN” (in light blue) indicate English language settings.  There are some entries for spreadsheets (.xlsx) that have English language indications, yet other spreadsheets have Russian indications.  The batch of files dated July 6, 2016 are a special case; they were all written with LibreOffice. The version of LibreOffice that Guccifer 2 used indicates that it may have been installed recently and there may have been unnoticed installation issues, where the chosen language defaulted to US English.  The combination of English language settings and a timezone offset of GMT-4 is surprising given the overall metadata picture.

Below, is an overview graphic with some of the detail above left out.

At first, this looks like a mixed picture.  However, if we view the light red, dark red blocks as being indicative of Russian origin then there were Russian attributions in several batches of files that Guccifer 2 published.  Mainstream media focused on the first batch (notably the “Russian fingerprints” in the Trump opposition report).  Media noticed Guccifer 2’s use of additional “watermarks” (unusual user names), but this was generally explained as a cover used to obscure Guccifer 2’s original choice of the very Russian “Феликс Эдмундович” (Felix Edmundovich) reference.

We explain in a later section that there is a scenario where the GMT-7 timezone offsets can be viewed as indications of Russian origin.  That scenario is based on the assumption that Guccifer 2 made a particular mistake when saving those files.

In subsequent sections, we will also discuss some of the anomalous results.

Guccifer 2 Returns to the East Coast

The Eastern timezone setting found in Guccifer 2’s documents published on July 6, 2016 is significant, because as we showed in Guccifer 2.0 NGP/Van Metadata Analysis, Guccifer 2 was likely on the East Coast the previous day, when he collected the DNC-related files that ended up in the ngpvan.7z Zip file.  Also, recall that Guccifer 2 was likely on the East Coast a couple of months later on September 1, 2016 when he built the final ngpvan.7z file.

We believe that in both cases Guccifer 2 was unlikely to anticipate that this Eastern timezone setting could be derived from the metadata of the documents that he published.  However, one vocal critic with significant media reach objected to our East Coast finding as it related to our analysis of the ngpvan.7z file.  This critic concluded instead that Guccifer 2 deliberately planted that clue to implicate a DNC worker who would die under suspicious circumstances a few days later on July 10, 2016.

Further, this critic accused the Forensicator (and Adam Carter) of using this finding to amplify the impact of Forensicator’s report in an effort to spread disinformation.  This same critic implied that Forensicator’s report was supplied by Russian operatives via a so-called “tip-off file.”  The Forensicator addresses those baseless criticisms and accusations in The Campbell Conspiracy.

Now, we have this additional East Coast indication, which appears just one day after the ngpvan.7z files were collected (which we conclude were likely collected on the East Coast).  This new East Coast indication is found in a completely different group of files that Guccifer 2 published on his blog site.  Further, this East Coast finding has its own unique and equally unlikely method of derivation.

If we apply our critic’s logic, what do we now conclude?  That Guccifer 2 also deliberately planted this new East Coast indication?  To what end?

We wonder: Will this new evidence compel our out-spoken critic to retract his unsubstantiated claims and accusations?

That (Other) Day Guccifer 2 was Romanian

Guccifer 2 appeared (on June 15, 2016) one day after the DNC alleged that it had been hacked by Russians.  Guccifer 2 pre-released his first leaked document (the “Trump opposition report”) to Gawker and The Smoking Gun); both outlets published that document in PDF form.  The following day (June 16, 2016), Ars Technica spotted error messages in TSG‘s PDF, written in Cyrillic.  These became known as Guccifer 2’s “Russian fingerprints”.  Those early Word documents published by Guccifer 2 also had a “last saved as” user id written in Cyrillic; his Anglicized name was “Felix Edmundovich“, aka “Iron Felix” (the infamous director of an early Soviet spy agency).  From these observations, the media [archive] was quick to assert that Guccifer 2 was likely a Russian operative.

A week later (circa June 21, 2016), Guccifer granted an interview [archive] with Motherboard (via Twitter DM).  Motherboard published the transcript [archive].  During the interview, Motherboard interjected a native Romanian speaker to put to test Guccifer 2’s assertion that he is a Romanian hacker.  After the interview, Motherboard queried some experts and reached the conclusion that Guccifer 2 was most likely a native Russian speaker.  Other experts were less certain.  No one asked why Guccifer 2 agreed to an interview where he might be put on the spot like this.

The metadata analysis presented in this report shows that nine days after that interview (on June 30, 2016), Guccifer 2 published a batch of documents with Romanian language settings. This was apparently missed by the media and various security experts.

If we follow the media narrative, then Guccifer 2’s Romanian language settings might be viewed as Guccifer 2’s belated attempt to re-assert his Romanian heritage.  Otherwise, are we to assume that there was a (rather careless) Romanian member of Guccifer 2’s team?  This Romanian indication is an outlier; several of Guccifer 2’s following blog posts showed Russian indications in one form/other.

Guccifer 2 Modified 36 Documents out of the 175 Total that were Uploaded to his Blog

Although the mainstream press focused on the early documents that Guccifer 2 published, where it was shown that he modified various metadata, little analysis was done on the full chronology of the documents that Guccifer 2 published.  This section focuses only on the documents that Guccifer 2 published on his WordPress blog, during the time period from June 15, 2016 through October 4, 2016.  This report does not address claims that Guccifer 2 may have had a hand in transmitting email collections to Wikileaks.  Also not covered are the various large zip files that Guccifer 2 published.  We looked at two of those in Guccifer 2.0 NGP/VAN Metadata Analysis and Guccifer 2.0 CF Files Metadata Analysis.

In total, Guccifer 2 published 175 documents as shown in the chart below.  Largely unnoticed by the media and unexplained, Guccifer 2 did not publish any documents during the one month period between 2016-07-14 and 2016-08-12. An analysis of the metadata indicates that Guccifer 2 made trivial modifications to 36 of those documents.  A timeline illustrating the mix between modified and unmodified documents is shown below.

g2-mod-vs-unmod-doc-counts

All the documents in Guccifer 2’s first post on June 15, 2016 were modified by Guccifer 2.  Over the course of the next month, Guccifer 2 posted more modified documents, but on some days no modified documents were posted.  Guccifer 2 did not post any modified documents after August 12, 2016.

Guccifer 2 Last Saved Times Suggest a Link to Moscow Office Hours

When we translate the “last saved” times for the documents that Guccifer 2 modified into Moscow time, we see an unambiguous relationship to Russian working hours.

Given Guccifer 2’s demonstrated understanding and ability to manipulate metadata, it is surprising that Guccifer 2 left such an obvious clue that leads to Russia — unless that was his intent.  Guccifer 2’s working hours become another Russian “breadcrumb”.

If We Account for a Bug in Microsoft Word and in LibreOffice, Guccifer 2 no Longer Works During Moscow Office Hours

We explain elsewhere that our GMT-7 (PDT) and GMT-4 (EDT) findings result from bugs (or shortcomings) found in Microsoft Word and LibreOffice.  For both the Microsoft Word “track changes” entries and the LibreOffice last saved times, they have the appearance of being based on GMT , but in fact they are local (wall clock) times.

If we use those apparent local times as the times when time of day when Guccifer 2 was working, we arrive at a much different result than we showed in the previous section (see below).

We think that Guccifer 2 was unaware of the details regarding the way that Microsoft records “track changes” times and the way that LibreOffice records a document’s last saved time.  We think that Guccifer 2’s plan was to show convincingly that he worked during Moscow office hours.  Yet, when we account for those applications’ actual behavior, Guccifer 2’s Moscow office hours facade falls apart.

Tweak by Day, Tweet by Night

When we incorporate Guccifer 2’s other activities (Twitter and WordPress blog uploads) we see a different picture.

We can see from the above chart that Guccifer 2’s blog posting and Twitter activity generally track together – both are centered in the Central Timezone (US).  The document modifications (tweaks) are centered in the timezone occupied by Western Russia (Moscow), Ukraine, and Central Europe (during the summer months).  This creates a gap of about eight (8) hours, which is theoretically enough time for Guccifer 2 to rest up after changing his documents, so that he can publish them several hours or a day/so later.  It is quite possible that the social media aspects of Guccifer 2’s operation were handled by another individual or team.

We caution the reader that although the WordPress and Twitter times can be considered to be reliable and non-falsifiable, we cannot say the same thing about Guccifer 2’s last saved times.  Guccifer 2 could have easily manipulated the last saved time by changing the system’s timezone and time of day settings.

As we discussed in the previous section, we think that Guccifer 2 did attempt to manipulate document metadata to demonstrate that the documents were saved during Moscow office hours.  However, we demonstrate that unexpected word processing application behavior provides evidence that he likely was not physically working during Moscow office hours.

Guccifer 2’s “Missing Page” has his Last Tweaked Document

On August 12, 2016 Guccifer posted a series of documents, sourced to the DCCC.  Some of these documents included passwords and donor contact information.  A few days later, The Smoking Gun reported on this.  Following complaints, WordPress withdrew the page content (as reported by The Hill).

g2-missing-page-20160812-the-hill

Guccifer 2 also posted his last tweaked document on this date: August 12, 2016.  Unlike previous documents that Guccifer 2 had changed, this document was saved with Word 2010 (rather than Word 2007).  We don’t know if that has any significance, but simply note it here.

Guccifer 2’s Posting Frequency and his One Month Hiatus

The following table shows Guccifer 2’document posting frequency.

g2-total-doc-table

Here is the same data in chart form, showing the cumulative document count.

g2-total-doc-chart

This chart highlights the approximate one month period between July 14, 2016 and August 12, 2016 where Guccifer did not publish any documents on his blog.  This hiatus was generally not mentioned by any media outlets at the time and to date no explanation has surfaced.  It is noted here simply for consideration.

From the chart above, we can see that Guccifer 2 posted regularly and rather frequently (except for the one month time gap).  The volume of documents posted in the first month is roughly equal to the number of documents posted in the last two months.

Partially Sourcing Guccifer 2’s Documents

The chart below matches up the documents that Guccifer 2 uploaded to his blog with various sources.

g2-matched-doc-sources

Above, we can see that early on Guccifer posted documents attributed to the Podesta email collection later published by Wikileaks (beginning October 7, 2016). “HRC_zip” is a Zip file that Guccifer 2 published on June 21, 2016; many of the documents in that Zip file can be attributed to the DNC, but are not found as attachments in the Wikileaks DNC email archive.  On June 30, 2016 and July 6, 2016 Guccifer 2 posted documents that can be found as attachments in the Wikileaks DNC email archive (which were published a few weeks later on July 22, 2016).  On October 4, 2016 Guccifer 2 published a large Zip file called cf.7z; we analyzed that Zip file in Guccifer 2.0 CF Files Metadata Analysis.  Guccifer 2’s blog post was titled “Guccifer 2.0 Hacked Clinton Foundation”, but in fact many of the documents in the cf.7z archive can be sourced to the DCCC (not the Clinton Foundation).

Below, is a different presentation of the timeline, focusing on DNC and DCCC sources.

g2-doc-attrib-timeline

Below, a pie chart with the same data.

g2-doc-attrib-pie

The attribution process used above was heuristic, using metadata fields that included company name, author, and last saved user name.

We see that Guccifer 2 posted many documents (almost half) that can be sourced to the DCCC  There are some documents that can be sourced to the DNC but do not appear in the Wikileaks DNC email collection, or the Podesta email collection.

Guccifer 2 Discloses Podesta and DNC email Attachments before WikiLeaks Publishes Them

From the data disclosed in the previous section, we conclude that Guccifer 2 published documents that can be found in the Wikileaks DNC emails and Podesta emails before their publication by Wikileaks.  This has led some observers to conclude that Guccifer 2 was the likely source of the Wikileaks DNC and Podesta email dumps.  Although Guccifer 2 alluded to this, that conclusion is speculative.  One question worth asking is why would Guccifer 2 pre-publish documents that will subsequently be disclosed by Wikileaks?  Further, what was Guccifer 2’s motivation for modifying the metadata in some of the documents that will subsequently be found in Wikileaks?

Did DCLeaks Disclose some Podesta Email Attachments Before WikiLeaks Published Them?

UPDATE (2018-11-29): Stephen McIntyre updated his Twitter thread cited below.  We have incorporated his additional feedback.  Based on McIntyre’s follow up, we have come around to his view and have updated this section accordingly.

Although Guccifer 2’s blog site and social media interactions have been the focus of most media reporting, another document sharing site preceded Guccifer 2: DCLeaks [web archive].  On June 8 (one week prior to Guccifer 2’s debut), DCLeaks published several archives, one of which was entitled “HILLARY CLINTON ELECTION STAFF CLIPS”.  Stephen McIntyre (@ClimateAudit) reviewed that document dump (July 24, 2018) in a long Twitter thread [archive].  McIntyre is likely the first analyst to show a possible relationship between a DCLeaks disclosure and a subsequent Wikileaks dump of Podesta’s emails.

mcintyre-dcleaks-1

Adam Carter (@with_integrity) followed up on McIntyre’s research and reported on it in Correlation Complications: New Discovery Suggests/Strengthens Overlaps Of DCLeaks And WikiLeaks Publications.  As further background on DCLeaks refer to another article penned by Carter, The Man Who Cried Volf

McIntyre’s findings are listed verbatim below.

  1. On June 12, 2016, @JulianAssange announced “upcoming leaks in relation to Hillary Clinton … We have emails pending publication”. This announcement is believed by many to have precipitated DNC’s announcement of hack (via WaPo and Crowdstrike)
  2. However, there was [a] relevant incident on June 8, thus far unnoticed in this respect. On June 8, DCLeaks published web.archive.org/web/2016061314… several archives, one of which was entitled “HILLARY CLINTON ELECTION STAFF CLIPS”.
  3. The Hillary Clips dossier published on June 8, 2016 at DCLeaks consisted of 72 documents with nomenclature like 20150127 HRC Clips.docx, …etc
  4. ALL 72 documents had been attachments to Podesta emails (published in October 2016 by WikiLeaks ), a connection which (to my knowledge tho somebody might have) has not been reported.
  5. The distribution lists on emails were senior insiders of Hillary campaign: from Nick Merrill to Podesta, Mook, Huma, Cheryl Mills etc, rather than DNC finance officials of the DNC hack archive.
  6. So Hillary campaign officials knew or ought to have known that there had been a hack of someone in the Hillary campaign – DISTINCT from the DNC hack which Crowdstrike was consulting on.
  7. The person who’d been hacked was therefore a senior insider of the Hillary campaign, not a low-level DNC clerk. At the time, the Hillary email investigation was ongoing, with both FBI and Hillary covering up or denying that Hillary email had been hacked.
  8. I wonder what the Hillary campaign told Crowdstrike. I’ll bet that they kept their mouths shut and hoped that it would be contained until after the election.
  9. In any event, seven days before Guccifer 2, DCLeaks had published [perhaps] the first fruits of the Podesta hack.
  10. In the Guccifer2 blogposts in June 2016 – as is now well known, many of the documents had originated as attachments to Podesta emails. (One particular document can be distinguished in version from a similar document at DNC).
  11. Documents in Guccifer2 blogposts of June 30 and July 6 also occur as attachments in DNC hack emails. This is little known. I just noticed this. I subsequently noticed that Forensicator SI has similar collation, but didn’t discuss.
  12. In my opinion, Guccifer2 blog use of Podesta attachments was a much firmer association than any presented in intel assessments. G2 use of DNC attachments (prior to Wikileaks publication) is a similarly firm association.
  13. I’ve consistently spoken against any reliance on high July 5 copying speeds as supposedly showing a leak rather than hack. (July 5 copying was a re-arrangement by G2 – NOT exfiltration.) G2 use of DNC attachments on June 30 is further evidence against the July 5 theory.
  14. The spearphishing syntax of Podesta hack, as I’ve mentioned before, was identical to spearphishing syntax of Rinehart hack published at DCLeaks. So there’s a direct connection between Podesta hack and DCLeaks as well as to Guccifer2.
  15. There are also connections between DCLeaks and Cyber-Berkut. Several Soros documents published by Cyber-Berkut were among the Soros documents published by DCLeaks. (Citizen Lab used DCLeaks version to accuse CyberBerkut of altering a document.)
  16. DCLeaks’ earliest archives (to which little attention has been paid) are hacks of US military, most prominently NATO General Philip Breedlove, whose very aggressive emails on Ukraine situation attracted some interest in Europe.
  17. One of Breedlove’s most prominent correspondents – Wesley Clark – advocated a Strangelove-like domino theory of the type not heard since escalation of Vietnam War.
  18. In passing, there were an astonishing number of US military personnel, including Gen. Breedlove, who used gmail, aol etc for correspondence on military policy. If US military use gmail to talk shop, how can US complain if they get hacked by Russia or anyone else?
  19. Also, in passing about DCLeaks, their email hacks didn’t involve X-Agent, X-Tunnel or elaborate malware. They involved nothing more than a single spearphish email, no different than Nigerian scam. DCLeaks published 13 hacks, with latest (Colin Powell) having emails to Aug 29.
  20. (2018-07-24) more later.
  21. (2018-11-28) Forensicator cited this thread (in its entirety) in his recent excellent exegesis of “Russian” breadcrumbs in Guccifer 2. Recommend that interested readers consult.
  22. Previously in this thread, I had asserted that the distribution of these clips had been high-level insiders of the Hillary campaign.
  23. Forensicator stated that “files were sent to Podesta via a Google email group named hrcrapid, which likely had a wide distribution”. The inference is, presumably, that DCLeaks access to the Clips did not necessarily arise from Podesta hack, possibly from lower-level DNC.
  24. All but one of Podesta emails corresponding to Clips at DCLeaks went to email groups: hrcrapid@googlegroups.com OR HRCRapid@hillaryclinton.com OR bcc from nmerrill@hrcoffice.com. However, there was one email with a distribution list – cited in my thread.
  25. Its distribution (earliest in email set) was […].
  26. While HRCrapid group may have expanded, for attachment to Podesta 17824 to turn up at DCLeaks: if they didn’t get it from Podesta, it would have to come from hack of another one of these heavyweights.
  27. If a second heavyweight (in addition to Podesta) had been hacked, I think that it would have been put in play in 2016 at same time. Why wouldn’t it?
  28. On this issue, while use of HRCrapid group for many of the emails (not all) is worth considering, I still think that it makes more sense to connect DCLeaks possession of the Clips to Podesta hack than to an unattested hack of unknown lower level person (not on Podesta 17824).

McIntyre makes a key finding: DCLeaks disclosed 72 documents one week ahead (June 8, 2016) of Guccifer 2’s debut.  These same documents appear much later (October 7, 2016) as attachments (published by Wikileaks) in Podesta’s emails.  McIntyre observes that “ALL 72 documents had been attachments to Podesta emails (published in October 2016 by WikiLeaks), a connection which (to my knowledge tho somebody might have) has not been reported.”  McIntyre makes a strong case that there is a credible link between those early DCLeaks disclosures and the leaked Podesta emails.

Yet another Guccifer 2 Word Document with a West Coast Fingerprint

In Guccifer 2’s West Coast Fingerprint, we observed that Guccifer 2 posted a Word document with “track changes” enabled and from that tracking entry we could determine the time zone offset in force when that document was saved.  The document, hillary-for-america-fundraising-guidelines-from-agent-letter.docx, was uploaded by Guccifer 2 in his second batch of documents, published on June 18, 2016.  It had “track changes” enabled in Word, which recorded one of Guccifer 2’s changes that he made under the pseudonym, “Ernesto Che”.  We can see that change below.

g2-ernesto-che-track-changeThe time shown (12:56 AM) is expressed in local (wall) time; the document’s “last saved” time is expressed in GMT as 7:56 AM.  From this observation, we concluded that a GMT-7 clock setting was in force when the document was saved.

More recently, we searched all 36 of the documents that Guccifer 2 modified (tweaked) prior to publication.  We found another document with “track changes” enabled that also exhibits a time zone offset of GMT-7. That document, named dws-az-op-ed-comparison-doc_lm.docx, was uploaded in a separate batch of documents on June 30, 2016.  The Chinese characters shown below are written as Zhu De in the Latin alphabet; Zhu De was a famous general in the revolutionary Chinese Communist army.

g2-zhu-de-track-change-dws-az-op-ed-2016-06-30

Is the West Coast the Best Coast?

In Guccifer 2’s West Coast Fingerprint, we reached the following conclusion.

Finally, we look at one particular Word document that Guccifer 2 uploaded, which had “track changes” enabled.  From the tracking metadata we deduce the time zone offset in effect when Guccifer 2 made that change — we reach a surprising conclusion: The document was likely saved by Guccifer 2 on the West Coast, US.

More technically, we observed that the timezone offset in force when Guccifer 2 made this change was GMT-7, which happens to be the timezone offset in use for Pacific DST during the summer; Arizona uses a GMT-7 timezone offset year-round, because it does not implement DST.

We showed previously, that when we translate all of the last saved times to a timezone region that has a GMT+3 timezone setting in force during the summer (Western Russia, Ukraine, Central Europe) that all those times fit neatly within a 9 to 5 Russian working day.  Given Guccifer 2’s overall demonstration of metadata manipulation expertise, combined with alleged connections to a state sponsored agency, we think it likely that Guccifer 2 was aware of the potential link between the last saved times in the documents he modified and the Russian work day.

One of the mistakes that we think that Guccifer 2 may have made is that he assumed that a “track changes” entry was recorded in GMT time when in fact it was recorded in local time.  We were able to compare this local time to the “last saved” time, recorded in GMT, and determine that the timezone offset in force when the document was saved was GMT-7 (PDT).

Let’s look at the two track change entries again.

Here, we see that the first track changes entry shows a local time of 00:56 and the second shows 03:23.  Both are in the wee hours of the morning and are not business hours.  Yet, when translated to Moscow time they are 10:56 and 13:23 – well within normal work hours.

The “track changes” entries above appeared in separate batches uploaded on June 18, 2016 and June 30, 2016.  Given that the last saved times of the documents in each batch are generally close together, it is reasonable to assume that all the documents in each batch were saved on a system that used a GMT-7 timezone setting.

For the first document above, dated June 18, 2016, Guccifer 2 explicitly enabled “track changes”.  Thus, Guccifer 2 knowingly implanted the “track changes” entry.  We confirmed this by comparing Guccifer 2’s version of the document to the likely original in the Wikileaks archive.  The second document, dated June 30, 2016, already had “track changes” enabled; Guccifer 2 likely was a aware of this because there were extensive review mark ups in the document.  These observations remove the possibility that Guccifer 2 might have unintentionally left “track changes” entries in those documents.

We highly doubt that Guccifer 2 would miss the fact that the local clock reads 3:23 AM.  We reach this conclusion independent of whether Guccifer 2 was running Word on a system physically in the West Coast or a VM running Windows XP with Pacific timezone settings in effect.  We therefore work from the point of view that Guccifer 2 accepted this local time setting, knowing that the end result will be a Moscow based timestamp that falls within working hours.

On several other occasions, Guccifer 2 saved files and/or viewed files with GMT+3 (Moscow, Ukraine, Eastern Europe) and GMT+4 (Moscow, before 2014) time zone offsets.  Whether those systems were VM’s or not and whether Guccifer 2 deliberately faked those settings or not isn’t important for this analysis.  Rather, it shows a pattern of using those timezone settings.  We therefore think it likely that Guccifer 2 was aware of the PDT timezone settings and accepted them, rather than fixing them.

Therefore, we think that it is more likely than not that the system used to save these files was physically located where a timezone offset of GMT-7 was in force.  We think that if it had been a VM, then Guccifer 2 would notice (on at least two occasions) that the time setting was wrong, and would quickly fix it.

Phoenix Lights: What about the AZ Server?

One line of inquiry that we followed was: Does this GMT-7 timezone setting indicate that Guccifer 2 may have connected remotely to a US-based system?  One particular system, located in Arizona, comes to mind.  We find a reference to a server located in Arizona in the Special Counsel’s July 13, 2018 indictment.

One theoretical scenario goes like this: A GRU operative working out of Moscow connects to the Arizona server using RDP (Remote Desktop) via a VPN connection.  The agent (a Guccifer 2 team member) opens the documents he plans to modify on this server and makes the changes there.  This will implant the local times observed in the “track changes” entries that have a local AZ time reference.  Additionally, the GMT-based last modified timestamp will indicate Russian working hours.

The AZ server access theory sounds plausible at first, however we excluded it on this basis:

  • The accesses in question were on June 17, 2016 and June 30, 2016 — both are after the DNC announced on June 14 that it had been hacked.  Guccifer 2 would assume that any activity inside the US would be at risk of detection and potential disruption.
  • The indictment states that “X-Agent malware implanted on the DCCC network transmitted information from the victims’ computers to a GRU-leased server located in Arizona.”  The indictment tells us that the AZ server was used to control access to the DCCC, not the DNC, and makes no mention of its use for other purposes.
  • It would have been unusual, unnecessary, inconvenient, and risky to access Microsoft Office documents on this system located thousands of miles away, within the US, after the alleged hacks had been made public.
  • In many other cases, there are indications that Guccifer 2 accessed the documents locally (they have GMT+3 and GMT+4 timezone offsets).  We see no reason that Guccifer 2 would depart from this practice.  This conclusion is of course based on the premise that Guccifer 2 worked out of Moscow.

Did Guccifer 2 Intend to Plant MSK Timezone Clues in the “Track Changes” Entries and LibreOffice Documents, but Slipped Up?

 We think that Guccifer 2 may have made a mistake planting those track changes entries – but perhaps it was a subtle mistake.  What if Guccifer 2 thought those “track changes” entries might implant GMT+3 (Moscow) time indications?  What would make Guccifer 2 think that?

Let’s first assume that Guccifer 2 was on Moscow time (GMT+3), rather than Pacific Time.  In that scenario, the “track changes” entry would have recorded a local time of say, 13:23, where the document’s last saved time would be 10:23 (GMT).  This artifact wold then indicate that GMT+3 (MSK) timezone settings were in force when the document was saved – another Russian breadcrumb.

This scenario is speculative, but would make sense based on the observation that Guccifer 2 planted many indications of possible Russian origin.  The fact that two changes were made in separate batches provides further motivation to think that this might have been Guccifer 2’s original plan.

Additionally, as we explained in another section, we think that Guccifer 2 was unaware that LibreOffice would leak the timezone offset of the system on which the document was written.  If Guccifer 2 viewed the last time in Word, it would interpret the last saved time as GMT time and from this Guccifer 2 would conclude that the metadata supported Guccifer 2’s objective of giving the impression that he worked during Moscow office hours.

Thus, we conclude: If Word and LibreOffice behaved as Guccifer 2 expected them to, then all observed last saved times would have demonstrated that Guccifer 2 was working during Moscow office hours.

Guccifer 2 Telegraphed his Time Zone Offset in Three Email Screenshots

In one of his last blog posts on October 18, 2016, Trump’s taxes: Clinton campaign prepares a new provocation, Guccifer 2 posted the following email screenshots.

g2-20161018-email1

g2-20161018-email3

Let’s focus on the header of the first email message.

g2-20161018-email1-gmt-plus-3

By observing the sender’s time both as the sender expressed it and as Guccifer 2 viewed it, we conclude that the system that Guccifer 2 used when taking this screen shot had GMT+3 time settings in effect.  All three emails show that GMT+3 time settings were in effect.  After 2014, Moscow, Ukraine, and Central Europe all adopted a GMT+3 time regime, during the summer.

Although this GMT+3 time indication is obvious and can be determined without special tools, it seemed to go unnoticed both by the media and a large community of researchers.  Perhaps they had grown tired of Guccifer 2’s online antics and no longer critically reviewed his posts.  It seems quite likely however that a professional forensics analyst tasked with tracking Guccifer 2 would quickly notice this GMT+3 indication.

Whether Guccifer 2 made a mistake and unintentionally disclosed this potential link to Russia, or his actions were intentional is a question that keeps coming up.

Above, all three emails include DNC-related recipients, however only the attachments linked to the first and second emails can be found in the Wikileaks DNC email archive.

The third email is sent from Ian Mandel, law partner at Jones Mandel.  The recipients that have DNC email addresses are not listed as the DNC employees who had their emails included in the Wikileaks DNC collection.  One of the recipients is Tony Carrk who worked for Hillary Clinton’s election organization.  We saw Carrk as the originator of the Trump opposition report which was the source of the first document that Guccifer 2 published.  It is possible that all three emails originated from hillaryclinton.com even though we can find two of the email attachments in the Wikileaks DNC email collection.

Guccifer 2’s Email Screenshots use US/EN Date Format?

In the email screenshots discussed earlier, we noted that some of them had GMT+3 timezone settings in force when the screenshots were taken.  In contrast, however, we see below that the screenshots use United States style date formats.

g2-email-screenshot-sent-lines

It is understandable that the month and day names are written in English (not Russian, or Romanian); however, it is interesting that the date ordering and syntax are written in the style used in the US.

g2-how-to-write-date-in-ru

If the European style were used, we would expect “May 16, 2016 5:46:18 PM” to be written “16 May 2015 17:46:18” and “1/16/2015 11:36 PM” to be written “16.01.2015 23:36”.  Note that the screenshots are likely taken on the system that Guccifer 2 was using at the time that he composed his blog post.  This use of a US style date format stands at odds with the finding that GMT+3 timezone settings were in force when the email screenshots were taken.

Guccifer 2’s Email Screenshots Disclose DNC Emails Never Published by Wikileaks

In the previous section we discussed three email screenshots posted on October 18, 2016 and observed that two out of three could be found the Wikileaks DNC email collection, but that the DNC emails were not necessarily where these documents originated.

Guccifer 2 published two additional email screen shots a few months earlier on June 30, 2016.  They can be found here and are shown below.

Guccifer 2 did not publish emails in text form, but did post at least six email screenshots.  Only two of the listed attachments can be found in the Wikileaks DNC email collection.  The two emails above are dated in February and March of 2015.  They predate the Wikileaks DNC email collection by a full year.  We note this simply as an observation.

On August 12, 2016 Guccifer 2 also posted an email screen shot that can be attributed to the DCCC (dated January 16, 2015).  The content of that web page was subsequently withdrawn; the email screen shot below is from a web archive.

g2-20160812-dccc-email

Language Settings in Modern Word (.docx) Documents

In Did Guccifer 2 Plant his Russian Fingerprints? we noted that the first five Word documents that Guccifer 2 published were recorded in RTF format and that the RTF file format encodes the system “code page“, which in turn indicated that Russian language settings were in force when those documents were saved.  This was widely noted by various researchers.  For example Matt Tait (@pwnallthings), a security blogger/journalist, began following Guccifer 2 closely the same day that Guccifer 2 appeared.  Matt started a Twitter mega-thread here, compiling his observations along with those of various other cyber security researchers.

In compiling this report, Forensicator observes that modern Word (2007 and up) documents (saved with .docx extensions) encode the preferred language in the word/settings.xml component.  Although many Internet security researchers (and the mainstream media) have pored over the metadata in Guccifer 2’s published documents, they have missed this language setting.  Here is an example from one of the early documents that Guccifer 2 tweaked and then published.  The source document, named staff1.docx, can be found on this page in Guccifer 2’s blog; it was published on June 18, 2016 (three days after Guccifer 2 first appeared).  It can be sourced to a Podesta email attachment [Wikileaks] , named STAFF1.docx

word-docx-theme-fontlnag-setting

At line 89 we see that the themeFontLang value is set to “ru-RU”.  Here is what the Microsoft specification tells us about that setting (emphasis added).

msft-theme-fontlang-spec

We also observe the decimalSymbol (“,”) and listSeparator (“;”) values at lines 98 and 99 are Russian style settings.  They would be “.” and “,” respectively for US English documents.

In the discussion below, we will find that the Word documents that Guccifer 2 modified have this themeFontLang field set to values of interest.  Note that legacy Word (.doc and RTF) and spreadsheet documents (.xls and .xlsx) do not have this helpful preferred language indication.  Further, LibreOffice does not use (or set) this language preference value, though it will preserve it when saving the document in Word format.

Language Indications in Legacy (.xls) and Modern (.xlsx) Excel Spreadsheets

Excel spreadsheets do not have a settings.xml component and therefore they do not record the themeFontLang value that we found in Word documents.  Excel spreadsheets do however set a field called HeadingPairs, found in the docProps/app.xml component.  This HeadingPairs value provides a helpful language clue.

Here is an example from one of the Excel spreadsheets that Guccifer 2 published in his first batch of documents on June 15, 2016.  That spreadsheet, named donors.xlsx can be sourced to an attachment, named Donors.xlsx found in a Podesta email [Wikileaks].  Below, the HeadingPairs value is shown (emphasis added).

g2-donors-xlsx-heading-pairs-ru

Let’s compare this to the original document, sourced to a Podesta email attachment.

podesta-donors-xlsx-heading-pairs

From the above example, we conclude that the HeadingPairs value can provide a reliable indication of Russian language settings that were in force when an Excel spreadsheet is saved.  Although this example shows the setting for a modern Excel (.xlsx) spreadsheet, legacy (.xls) spreadsheets have this same field and it behaves in a similar fashion.

We can use ExifTool to extract this value for both legacy and modern Excel spreadsheet formats.  All of the spreadsheets in Guccifer 2’s first batch of documents indicate Russian language settings.

g2-first-spreadsheets-heading-pais-ru

In a following section, we will detail the Russian language indications found in the various spreadsheet documents that Guccifer 2 modified and then published on his blog.  We will use the method shown above to make that determination.

Legacy Office Documents Disclose the OS Version

Guccifer 2 modified two legacy Microsoft Office documents: big-donors-list.xls (in the first, June 15, 2016 batch) and pelosi_carroll-event-memo.doc (published August 12, 2016).

This article, Word Forensic Analysis And Compound File Binary Format, provides some insight into the structure of a legacy Word document.  The article has a different focus and uses different tools than we discuss in this section.  The article does, however, describe the following artifact in detail; this is the part that we are interested in.

Operating System Version (OSVersion)

In addition to the AppVersion, both the Summary Information and the Document Summary Information streams in a Word document contain a 4-byte PropertySetSystemIdentifier structure. The first two bytes of the structure indicate the major and minor versions of the operating system that wrote the property set. The last two bytes represent the OSType. According to the specification, OSType must be 0x0002.

In the screenshot above, you can see the PropertySetSystemIdentifier structure highlighted. The 06 and 01 values indicate the major and minor version of the OS respectively. Windows 6.1 represents Windows 7, which was released to the public in the second half of 2009 […].

Legacy Office documents are not as easy to parse as the newer XML-based format.  We can use the MiTeC Structured Stream Viewer to conveniently navigate the document’s metadata.  We use its hex viewer to determine the version of the OS that was installed when the document was saved.

Above, we see that the spreadsheet in the first batch (June 15, 2016) was last saved on a Windows 8 system, while the second Word document (in the August 12, 2016 batch) was saved on system with Windows 7 installed.  We interpret a GMT+4 timezone offset as an indication that Windows XP was installed.  Thus, we have evidence that Guccifer 2 used at least three (3) versions of Windows: Windows XP, Windows 7, and Windows 8.

Recall that when we analyzed Guccifer  2’s first five (5) documents that 4.doc had a GMT+4 indication but 1.doc, 2.doc, 3.doc, and 5.doc all had GMT+3 indications.  Now that we have evidence that at least one document in that first batch was saved on a Windows 8 system, it makes sense that if its timezone were set to Moscow time that the timezone offset would read GMT+3, because Windows 8 would have been updated to reflect Moscow’s decision to drop Daylight Saving Time after October, 2014.  Windows XP, on the other hand, was not updated, because it had reached its End-of-Life.

LibreOffice Language Settings in Modern Word Compatible (.docx) Documents

For one batch of documents, published on July 6, 2016 , Guccifer 2 used LibreOffice to modify and save the documents.  LibreOffice can save files in Microsoft Office 2007 compatible format, but the metadata in those files will differ slightly from those saved by the native Office 2007 application (that Guccifer 2 used for many of his documents).

LibreOffice does not set the themeFontLang property that we discussed previously.  LibreOffice will however preserve the themeFontLang property (when saving in the Microsoft Office 2007 file format). LibreOffice sets a distinctly different property, language, found in the docProps/core.xml component.

We can see this in the document named potus-briefing-05-18-16_as-edits.docx that Guccifer 2 modified and then published on his blog.  That document can be sourced to a DNC email attachment, named POTUS Briefing 05.18.16_AS Edits.docx [Wikileaks].  Let’s look at the language property in Guccifer 2’s version of the file.  (This language property is not present in the original Word document.)

g2-language-prop-libreoffice-pub-2016-07-06

Above, the language setting designates US English.  That result is a bit surprising given that many of Guccifer 2’s documents have Russian indications.

Guccifer 2’s Chinese and Japanese Language “Fingerprints”

An anonymous blogger, Winston Smith (a fictional character in George Orwell’s 1984) noted the presence of language attributes in two batches of documents posted by Guccifer 2 on June 30, 2016 and July 6, 2016.  Smith notes that documents in the first  batch were last saved by “Zhu De” (a famous general in the Communist Chinese army.

winston-smith-g2-chinese-fingerprints

Above, Smith observes that the “w:eastAsia” property is set to “zh-CN”;  that property controls the font selection for Eastern/Asian characters.  We think that this property was added by Microsoft Word when it determined that the user id was written in Chinese characters.  Smith also notes that the main language attribute “w:lang” designates the use of Romanian language settings.  We expand on this main language attribute value elsewhere.

Smith notices that documents in another batch posted by Guccifer 2 were saved by a user identified as “Nguyễn Văn Thắng” a famous Vietnamese general.  He calls this artifact a “Vietnamese fingerprint”.

winston-smith-g2-viet-fingerprints.png

Smith is surprised that the “w:eastAsia” secondary language property is set to “ja-JP” (Japanese) when the userid is written in Vietnamese.  Our explanation is multi-part:

  • The Vietnamese alphabet is expressed in Latin characters with some special diacritic marks.  Thus, no Asian character set is needed; the “w:eastAsia” property does not apply here.
  • The original document that Guccifer 2 modified, POTUS Briefing 05.18.16_AS Edits.docx has this attribute set to “ja-JP”.  This attribute value was retained when Guccifer 2 changed the document.
  • Guccifer 2 used LibreOffice to open and modify this batch of documents that were uploaded on July 6, 2016.
  • As explained elsewhere, LibreOffice updates a different language property and simply retains any previous value set by Microsoft Word.

Smith is correct when he observes that various documents in the batch that were saved with a user id that is written in Chinese characters (“Zhu De”) and that a Vietnamese user id (“Nguyen Van Thang”) was used in the other batch.  We agree that Guccifer 2 planted these “fingerprints”.  We differ with Smith on one point — we do not think that the “w:eastAsia” property value is relevant or helpful in understanding Guccifer 2’s document metadata modifications.

Smith suggests that evidence which shows that Guccifer 2 deliberately planted these quirky user id’s might “invalidate the original argument that the Russian ‘fingerprints’ were accidentally left by Russia/GRU/G2.”  Although we agree with Smith’s general sentiment, we note that Guccifer 2 explained away these unusual user names as his (hacker) “watermark“.

The media narrative has it that Guccifer 2 made a mistake in his first batch of documents when he accidentally left “Russian fingerprints” behind.  The media suggested at the time that Guccifer 2 was likely caught by surprise when the DNC announced it had been hacked.  Guccifer 2 felt the need to respond quickly, but in doing so made mistakes.  We are led to believe that the extensive collection of metadata breadcrumbs that Guccifer 2 left behind were a result of his haste and carelessness.

The presence of these additional “watermarks” is explained (by the media) as Guccifer 2’s lame attempt to cover his initial mistakes.  We are to believe that Guccifer 2 deliberately planted additional fake user id’s in an effort to cover up the presence of his (alleged) real user id (“Felix Edmundovich” in Cyrillic), which he (also allegedly) accidentally disclosed.

In Did Guccifer 2 Plant his Russian Fingerprints?, we demonstrate that Guccifer 2 took great care to plant his Russian fingerprints and showed extraordinary skill in making their appearance seem accidental.  Based on that analysis, we conclude that it is likely that Guccifer 2 intentionally planted all of his various fingerprints, inclusive of those that Smith analyzed.

Guccifer 2 Installed the Then-Current Version of LibreOffice Prior to Publishing a Batch of Documents on July 6, 2016

We can consult another document property to confirm that the file, potus-briefing-05-18-16_as-edits.docx (referenced in the previous section) was saved by LibreOffice.  the property named, application, found in the document component, docProps/app.xml, provides this information.  Here, we show the XML content; however, ExifTool will extract these properties directly and is easier to use.

g2-application-prop-libreoffice-pub-2016-07-06

Above, the LibreOffice version used is 5.1.4.2.  That version was released on/about June 20, 2016 – just a couple of weeks prior to Guccifer 2’s use of this version of LibreOffice.  From this observation, we can conclude that Guccifer 2 installed LibreOffice just prior to using it to publish the documents modified and uploaded on July 6, 2016.  We also observe that the 32-bit implementation of LibreOffice was installed; this suggests that the installation was made using a Virtual Machine (VM), perhaps running Windows XP.  The GMT+4 timezone offset is consistent with the hypothesis that a new VM (running Windows XP) was used.

LibreOffice Leaks the Time Zone Offset in Force when a Document was Last Written

Modern Microsoft Office documents are generally a collection of XML files and image files.  This collection of files is packaged as a Zip file.  LibreOffice can save documents in a Microsoft Office compatible format, but its file format differs in two important details: (1) the GMT time that the file was saved is recorded in the Zip file components that make up the final document and (2) the document internal last saved time is recorded as local time (unlike Microsoft Word, which records it as a GMT [UTC] value).

If we open up a document saved by Microsoft Office using the modern Office file format (.docx or .xlsx) as a Zip file, we see something like the following.

g2-zip-date-msoffice-pub-2016-07-06

LibreOffice, as shown below, will record the GMT time that the document components were saved.  This time will display as the same value independent of the time zone in force when the Zip file metadata is viewed.

For documents saved by LibreOffice we can compare the local “last saved” time recorded in the document’s properties with the GMT time value recorded inside the document (when viewed as a Zip file).  We demonstrate this derivation using the file named potus-briefing-05-18-16_as-edits.docx that Guccifer 2 changed using LibreOffice and then uploaded to his blog site on July 6, 2016 (along with several other files).

Above, we calculate a time zone offset of GMT-4 (EDT) was in force, by subtracting the last saved time expressed in GMT (2016-07-06 17:10:58) from the last saved time expressed as local time (2016-07-06 13:10:57).

Iron Felix is missing from Early Spreadsheets

As shown below, not all of Guccifer 2’s early batch of documents had “Iron Felix” as the “last saved” user id.  All of the spreadsheets had an empty (null) user id.

Using Word 2010 we were unable to set an empty “last saved” user id.  Perhaps this is possible with the older Word 2007 application that Guccifer 2 used; we didn’t try running that experiment.  Although these spreadsheets were saved within a half hour of when the last Word document was saved, the spreadsheets all have a null user id.

Both Word and Excel will let the user change  the current user name (“Options:User Name”).  Once set, the value should apply to all Office applications.  Thus, if the User Name were set for the Word documents, we would expect it to be retained for Excel spreadsheets saved a half hour later.  Yet, they differ.  We do not offer a theory to explain this.  We mention this here for information only.

Some Spreadsheets have EN Language Settings – Yet, Word Documents in the Same Batch have RU/RO

Guccifer 2 modified and then published several spreadsheets.  All of the spreadsheets in his first batch (June 15) have Russian indications.  Yet, in two subsequent batches the spreadsheets have English (EN) indications, while all the Word documents in those batches have non-English (RU and RO) indications (as shown below).

We see from the timeline introduced in an earlier section, titled Guccifer 2’s Metadata Mosaic, that Guccifer 2 often worked with mixed batches of Word documents and spreadsheets, moving from one document type to another.  If Guccifer 2 had Russian language settings enabled when he saved a Word document, why would these settings not also be present when he moved to a spreadsheet, tweaked it and then saved it?  The system’s language settings should apply to all Office document types.

Based upon the above, we wonder: Did Guccifer 2 manipulate the metadata in the first batch of spreadsheets to uniformly indicate Russian language settings?  In other words, did Guccifer 2 use special programs and/or techniques to produce the uniform Russian language indications found in the first batch of documents (dated June 15, 2016)?  (We have not tried running experiments to answer this question one way or the other.)

Back to the Future: The Upload Time Anomaly

In a typical scenario, the user will create/collect documents locally and then upload them to a web site.  The web site, if professionally managed, will maintain an accurate clock that cannot be changed by the remote user.  The web site will time stamp the files with the time they were uploaded; this makes it easy to see which files have been modified recently.  The web server (generally) asserts no control over the internal metadata, such as the “last saved by” user id or last saved date/time.  The accuracy of the internally recorded last saved time will depend upon the accuracy of the remote user’s clock at the time that the document was written locally.

In Guccifer 2’s case,  (if we normalize all times to, say, GMT) we expect the upload times recorded on the WordPress server to always be greater than the times those documents were last saved on the remote client’s system.  This is generally the case, but for one batch of documents (published on June 30, 2016) we have a situation where the WordPress server’s time stamp precedes Guccifer 2’s last saved time by roughly 7.5 hours (as shown below).

g2-upload-precedes-last-saved

From our previous discussion, we also know that the file uploaded at 02:53:06 (GMT) was saved on a system which had a timezone offset of GMT-7 (Pacific Daylight Time).  Thus, the local time when the file was saved was 2016-06-30 03:23.  The equivalent upload time was 2016-06-29 19:53:06 (7.5 hours earlier).

How do we reconcile this anomaly?  We start with the following assumptions.

  • The system is on PDT time (GMT-7).
  • The system’s local time must be advanced from actual time by at least 7.5 hours.  For this scenario, we will assume that it is advanced 12 hours ahead.
  • The system’s local time reads 03:23 (PDT).  This works out to 13:23 MSK (normal working hours, Moscow time).
  • Since our local clock is advanced by 12 hours, the actual local time is 12 hours earlier: 2016-06-29 15:23.  Our actual last saved time now precedes the upload time of 2016-06-29 19:53:06 by about 3.5 hours.
  • Guccifer 2 is aware that his local time is based on PDT and the time is advanced by 12 hours.  His goal is to plant a last saved time that falls within Moscow working hours (13:23).

Given the assumptions above, we sketch out the following speculative scenario.  A Guccifer 2 operative, working on the West Coast (US) wants to make changes to various documents that (1) plant Russian metadata and (2) have last saved times that are consistent with Moscow working hours.  However, Guccifer 2 doesn’t want to stay up until 3 AM to plant the necessary fact pattern.  Instead, he advances his clock by 12 hours and makes the changes at 3 pm his time instead.  This all works well, except for the “track changes” entry, which inadvertently discloses his GMT-7 timezone offset.

There are many assumptions that can be made and many different scenarios that can be constructed.  We offer this scenario for consideration.  Perhaps other researchers will find scenarios that have a more compelling rationale to support them.

Disclaimer

This report describes numerous examples of metadata found in documents that Guccifer 2 modified, where the metadata values can be linked to Russia.  We call these values – “Russian breadcrumbs”.  The presence of these breadcrumbs might seem at odds with the DOJ indictments of alleged Russian GRU hackers, because we are left wondering why would Guccifer 2 leave such an obvious trail to Russia?  One explanation that has been given is that the Guccifer 2 team was in a hurry and careless.  Another reason might be that the GRU agents wanted to make their presence known and were sending some sort of message.  We take no position on those theories and rationales, but simply offer our interpretation of the facts at hand.

Also, to the degree that some theories that we develop might suggest that Guccifer 2 had team members or help inside the US, we emphasize that our theories should be considered hypothetical.  We note that the DOJ indictments are not obligated to list all the facts in a case; there might be other information that hasn’t been disclosed publicly that would invalidate our theories or interpretations of the facts.

Closing Thoughts

breadcrumb-quotes



Advertisement