Guccifer 2’s West Coast Fingerprint

Guccifer 2’s West Coast Fingerprint

Introduction

In this report, we analyze the time zone offset that was likely in force when Guccifer 2’s first five (5) Word documents were written.  We also look at the time of day pattern of the “last modified” times for the 25/so documents that Guccifer 2 modified and then uploaded to his blog site.

Finally, we look at one particular Word document that Guccifer 2 uploaded, which had “track changes” enabled.  From the tracking metadata we deduce the time zone offset in effect when Guccifer 2 made that change — we reach a surprising conclusion: The document was likely saved by Guccifer 2 on the West Coast, US.

Feedback

Reader comments are attached to this blog entry.  Readers will be able to leave comments for roughly two weeks after publication.

Summary

  • Using a technique recently disclosed by another researcher (David Blake), we were able to establish GMT time zone offsets for Guccifer 2’s first five (5) Word documents.  Four of those documents (1.doc, 2.doc, 3.doc, and 5.doc) were created with GMT+3 time zone settings in effect.  (During the summer of 2016, GMT+3 would have applied to Central Europe, the Middle East, and Western Russia.)  One document, 4.doc, was created with GMT+4 time zone settings in force.
  • We deduce that 4.doc‘s GMT+4 time setting indicates that Russian time zone settings were in force when that document was saved.  This conclusion derives from the possible use of an outdated cracked Windows XP OS which did not receive updates to its time zone tables.  Hypothetically, this unpatched OS was not updated to reflect the fact that Moscow/Russia dropped Daylight Saving Time for Western Russia in 2014.  This conclusion also depends upon the user not adjusting their time zone offset manually for over three months after the time zone should have been corrected.
  • Given that the user did not manually disable the DST time adjustment, we suggest that 4.doc may have been created on a VM that was purpose-built to “telegraph” the use of Russian time zone settings.
  • We construct a histogram of the time of day that Guccifer 2 last modified the 25/so documents that he changed mainly for the purposes of manipulating their metadata (such as “last saved by” user, company name, etc).  This histogram supports the conclusion that Guccifer 2 operated out of a region with a GMT+3 time zone offset in force.
  • We analyze the timestamp on an internal “track changes” entry created by Guccifer 2 when he modified a document that was published in his second batch of documents that were uploaded to his WordPress site.  We correlate this timestamp to the document’s “modified” (“last saved”) time recorded in the document’s metadata.  Based on this analysis, we reach the surprising conclusion that this document was created on a system which had Pacific Daylight Saving Time (PDT) settings in force, when the change was made.
  • The PDT finding draws into question the premise that Guccifer 2 was operating out of Russia, or any other region that would have had GMT+3 time zone offsets in force.  Essentially, the Pacific Time Zone finding invalidates the GMT+3 time zone findings previously described.

Credits

  • David J. Blake (@HisBlakeness) discovered [archive] a technique that can be used to figure out the timezone offset that was in force when a legacy (.doc) Word document was saved.  We use Blake’s method on Guccifer 2’s first five Word documents, in this report.
  • Matt Tait (@pwnallthings), a security blogger/journalist, began following Guccifer 2, early on and extensively.  Matt started a Twitter mega-thread here.  In one particular tweet [archive], Tait noticed that “track changes” was enabled for a particular document, and that Guccifer 2 had made a small change under the name “Ernesto Che”.  His observation prompted us to analyze the date/time of this change.  Based on our analysis, we conclude that this document was likely last modified by Guccifer 2 on the West Coast, US.

Timeline

The following timeline summarizes some key events and developments as they relate to the analysis of Guccifer 2’s early document disclosures.  For a much more detailed timeline, consult Adam Carter’s Guccifer 2 timeline.

  • [2013-07-13] As noted by Thomas Rid (@RidT), the original Guccifer (Marcel Lazăr Lehel) disclosed a similar version of Guccifer 2’s 4.doc in the summer of 2013.  Additional metadata analysis indicates that the source document dates back to the time of the Obama administration (2008).
  • [2016-06-14] Via the Washington Post [archive] the DNC announced it has been hacked.  The WaPo article mentions (in its headline and in the body of the article) that they fear that a Trump opposition research document (now known as 1.doc from Guccifer 2) may have been stolen by Russian state-sponsored operatives.
  • [2016-06-15] The security firm, Crowdstrike, who was hired by the DNC, published a blog [archive] which attributed the alleged DNC hack to Russian state actors.
  • [2016-06-15] Guccifer 2 arrived on the scene that same day.  Guccifer 2 quickly published ten (10) Office documents on his WordPress.com blog [archive].  Five (5) of those are Word documents; they are analyzed in our companion report, Did Guccifer 2 Plant his Russian Fingerprints?.  Guccifer 2 initially posed as a Romanian (lone wolf) hacker, but as time went on his story began to deteriorate.  Some pundits quickly assigned Russian attribution to Guccifer 2, partly due to Cyrillic artifacts in his first five Word documents.  Also, in an online chat, it was observed that Guccifer 2 had weak fluency in Romanian.
  • [2016-06-15] That same day, two media outlets published stories, covering 1.doc (the DNC sourced “Trump opposition report”), which was apparently pre-disclosed to them by Guccifer 2.  Those media outlets were The Smoking Gun [archive] (TSG) and Gawker [archive].
  • [2016-06-15] Matt Tait (@pwnallthings), a security blogger/journalist, began following Guccifer 2.  Matt started a Twitter mega-thread here.  Matt’s involvement with Guccifer 2 will cause him to be interviewed by Mueller as part of the Mueller investigation of Michael Flynn [archive] in October, 2017.
  • [2016-06-16] One day later, a well known online media outlet, Ars Technica [archive], (which covers technology topics) reviewed the PDF [archive] posted by Gawker; this PDF is derived from 1.doc.  Ars Technica noticed the presence of error messages located in the last few pages of the 200+ page PDF.  Those messages were written in Russian (using the Cyrillic alphabet).
  • [2016-06-18] Guccifer 2 published his second batch of documents.  One document from that batch had “track changes” enabled in Word; we focus on that document in this report.
  • [2016-06-18] In a tweet [archive], Tait noticed a document with “track changes” that Guccifer 2 had uploaded that same day.  He reported on a small change that was made under the name “Ernesto Che”.  His observation prompted us to analyze the date/time that this change was made.   Based on our analysis, we conclude that this document was likely last modified by Guccifer 2 on the West Coast, US.
  • [2016-10-07] Wikileaks released their first batch of Podesta emails.  Per our analysis, all five of Guccifer 2’s first five Word documents (and an additional document used as a template) can be matched with source documents that were included as attachments to Podesta’s emails.  We do not conclude that Podesta’s emails were the actual source of Guccifer 2’s first five Word documents, but note that this conclusion cannot be ruled out.
  • [2018-02-16] David J. Blake (@HisBlakeness) published his research [archive] that suggests that Guccifer 2’s first two documents were created with GMT+3 time zone offset settings in force.

Analysis

The Blake Method: Use the Datastore to Calculate a UTC Offset

Recently, blogger/researcher, David J. Blake (@HisBlakeness) offered some interesting new observations and theories regarding Guccifer 2.  Blake made this key discovery [archive].

g2-blake-datastore-utc-time

Blake discovered that some legacy (.doc and .rtf) Word documents contain an internal “datastore” object – this “datastore” object has an internal timestamp that is expressed in UTC (closely equivalent to GMT) time.    The containing legacy Word document records times (to the minute) in local time.  This means that we can take the “last saved time” (in local time) of the Word document and subtract the datastore time from it (recorded in UTC time) to determine the GMT offset in force at the time that the document was saved.

Blake mentions the “MSODatastore” object; this is a form of “datastore” object introduced by Word 2007.

g2-word-doc-datastore-fmt

We observe that some legacy Word documents do not have an MSODatastore objects but still have datastore objects that can be used to determine the GMT offset in force when they were saved.  Guccifer 2’s, 4.doc and 5.doc fall into this category.

Using the Blake Method, we Find the GMT Offset for Guccifer 2’s First Five Documents

We augmented Blake’s results by applying his method to 3.doc, 4.doc, and 5.doc – which were not covered in his write up.

g2-blake-doc-utc-offsets

A tab-separated file with the data above can be found here.

We will describe a theory that we think explains the GMT+4 time zone offset.  First, we need to present some additional facts and observations as support for that theory.

Did Guccifer 2 Disclose Other Documents that Might be Used to Determine their GMT Offsets?

We looked for other .doc files that Guccifer 2 might have modified and published – to confirm our understanding of the time zones where Guccifer 2 may have operated.  We were only interested in documents that Guccifer 2 modified and then saved.  Guccifer 2 posted approximately 135 separate files to his blog site.  Of those, only 25 have internal “last saved” times that indicate that Guccifer 2 saved them some time after acquisition; by now, most of us know of his infamous proclivity to change the “last saved by” names to heroes and/or villains of past cultural revolutions.  The 25 files modified by Guccifer 2 were uploaded in three batches (with the number of documents shown in parentheses: 2016-06-15 (11), 2016-06-18 (9), and 2016-07-06 (5).

Based upon a quick review of the 25 files that Guccifer modified, we conclude that [1-5].doc were the only legacy Word documents that Guccifer 2 changed and published.  Therefore, we have no other documents upon which we can apply the Blake method to further establish the time zone offset that may have been in force when the documents were generated.  (Note: Guccifer 2 did modify and publish some .docx files, but we cannot apply the Blake method to those.)

Did Guccifer 2 Anticipate the Blake Method?

To date, in our analysis, the one thing we have noticed that all five Word documents have in common is that their time zone offset can be calculated using the Blake method.  For the first three documents, their source documents use the new .docx Open Office format; that format does not have the information (the “datastore”) needed to retrieve a UTC timestamp, which (per Blake) can then be compared to the wall time (local time) recorded in legacy .doc files.  The datastore object was added when the source files were saved as RTF files.

Given that Guccifer 2 went to some trouble to save his first five documents in a legacy Word file format (RTF), which is a seldom used format, and that these legacy Word documents can be dated using the Blake method, we wonder if Guccifer 2 might not have been aware of this aspect of his first five Word documents?  In the same sense that his attempts to pose as a Romanian hacker appeared intentional, we wonder if Guccifer 2 might not have known about the Blake method and deliberately saved those first five Word documents in a way that their time zone offsets might be determined?

A Quick Look at Guccifer 2’s Document Metadata

Some relevant metadata for Guccifer 2’s five documents are shown below.

g2-docs-metadata

A tab-separated file with the results listed above is here.

The fields highlighted in blue have values that are different from their matching source document.

Note: The “last modified by” value of “user” in 4.doc is different than in the source document – there it is spelled “User”.

The yellow highlighted fields (based on our analysis) were inherited from a file used as a template.

The “Save As (RTF)” operation in Word will reset the version number to “2”; both the Created and Last Modified dates will be identical; the Last Printed date will be inherited from the original.  Thus, 4.doc and 5.doc appear to be the result of a “Save As (RTF)” operation with no subsequent edit operations.

Guccifer 2’s 4.doc is an Outlier of Sorts

As we can see from the metadata, 4.doc is a bit of an outlier.

  • It was created an hour earlier than the other four documents.
  • The “last saved by” field was not changed to “Феликс Эдмундович” as it was for the other four documents.  Rather, it was changed from “user” to “User” and the Company name was changed to “Grizli777”.
  • The source document for 4.doc relates back to a document created during the Obama administration (2008).
  • Guccifer 1 disclosed (via The Smoking Gun) the 4.doc source document (as a PDF with an Comic Sans font) back in 2013.
  • This string, “CONFIDENTIAL DRAFT FOR REVIEW — 9/4/08” was removed from the source document page header; the word “SECRET” was added.  See the comparison below.g2-4-doc-header-change-to-secret
  • The original Guccifer 1 disclosure (2013) left the “CONFIDENTIAL DRAFT …” line intact and did not add “SECRET”.
  • The “last printed” date from the original source document was preserved and appears in the final document.  This helps confirm that this particular document was in fact the source document.

What is this Grizzly Doing in my Document?

As we saw above in the metadata tabulation for Guccifer 2’s Word documents, one of the documents (4.doc) had its Company name set to “Grizli777”.  One researcher [@_fl01] was quick to notice this.

g2-wager-tweet-re-grizzli777

Mr. Wagner is right, Grizly777 shows up in bootleg copies of Office(tm) [h/t Adam Carter].

g2-grizli777-warez

As we discuss below, there is another aspect of 4.doc (a +4 GMT time zone offset in force when the document was created) that is consistent with the theory that a separate computer (probably a VM) was used to create 4.doc.  A cracked version of Office(tm) may have been installed on that computer, along with an outdated (also cracked) version of Windows XP.

We note in passing that any computer forensics expert who came up through the ranks, starting as a hacker in their misspent teen years, would have quickly noticed Grizli777 as an indication that the document may have been generated on a system where cracked software was installed.  Although Wagner suggests that this cracked software is popular with Russians and Romanians, it is more accurate to say that cracked software is popular with hackers (and others) worldwide.  Nevertheless, a forensics expert might view this cracked software as an indication that the system where 4.doc was generated was used by a hacker, as Florian did.

Does Grizli777 Also Hack Elections?

Did Grizli777 give up cracking software and then take up hacking elections?  Perhaps instead, this unlucky author added his “Company Name” to the cover page? Is he Russian or Romanian?  It doesn’t seem so.

Our point, here, with this anecdote is that the cracked version of Windows Office is not reserved for use by Russians and Romanian hackers.

g2-grizzli-electronic-voting-system

Russia and Ukraine Time Zone Changes, Circa 2014

In 2014, Eastern Ukraine switched to Moscow Standard Time, and Moscow eliminated Daylight Saving Time.

g2-east-ukraine-time-change-to-ru

However, Western Ukraine and a big part of Central Europe, including Bulgaria and Romania do honor DST and therefore would have their clocks set to GMT+3 during the summer.  In the map below, everything in yellow uses the GMT+3 time offset during the summer months (courtesy, Wikipedia, with enhancements for GMT+2 using DST).

europe-tz-gmt-plus-3-dst

Guccifer 2’s Fourth Document (4.doc) was Likely Created on a VM with Moscow Time Zone Settings

We launched a VM with Windows XP installed on it, and then set the time zone to Moscow Time; we left the “Automatically adjust clock for daylight saving changes” box checked (the default).

g2-vm-winxp-msk-dst-setting

We then ran “Cygwin” (a Unix emulation layer that runs on Windows) and ran a few commands to demonstrate that Windows XP  used time zone tables that had not been updated to reflect the Moscow time zone changes that were implemented in October, 2014.  Windows XP maintenance ended on April 8, 2014; it is a reasonable assumption that they did not update the Moscow time zone information.

In this demonstration, we took advantage of the fact that Cygwin had been updated subsequent to October 2014.  There are other ways to demonstrate this anomaly; this serves our purpose and was easy to do given the tools and programs that were already installed.

g2-winxp-msk-dst-time

We ran the Windows commands ‘date /t’ and ‘time /t’ and compared the result to Cygwin’s ‘date’ command.  As shown, Windows is an hour ahead of actual time, because Windows XP is using outdated information.

This simple experiment demonstrates that the GMT+4 time zone offset observed for 4.doc was likely the result of creating 4.doc on a VM running Windows XP, perhaps a cracked version of XP, as we might intuit from Grizli777 in the “Company” name metadata value.

4.doc Was Likely Written on a Purpose-Built VM

We think that this VM was likely purpose built, because the user did not manually adjust the time zone offset (the easiest method would be to uncheck the “Automatically adjust clock for daylight saving changes”).  The other four documents were written with GMT+3 in force; if we assume that they were written in the MSK time zone, then either a more modern, updated OS was installed, or the user manually adjusted his time zone settings.  This manual adjustment would be expected because the incorrect time zone setting would be apparent to the user whenever the DST change occurred.  Given that the time zone offset was left uncorrected, we are inclined to think that the VM had not been set up for very long, and therefore was likely purpose built.

Guccifer 2 Telegraphed his Russian Time Zone

The following observations might lead an analyst to conclude that Guccifer was operating in a Russian time zone (and not simply a GMT+3 time zone, which covers a much wider area).

  • The Blake method indicates that 4.doc was written on a system with GMT+4 time zone settings in force.  (In 2016, the Moscow/Western Russia (MSK) time zone no longer implemented Daylight Saving Time – Western Russia was on GMT+3 time.)
  • The Company Name value of Grizli777 suggests the use of cracked software, in this case a cracked version of Word 2007.
  • If the Word application is cracked, then the OS might also be cracked.  The cracked Windows OS of choice would be Windows XP.
  • Support for Windows XP was withdrawn in April, 2014 and Western Russia and Eastern Ukraine dropped Daylight Saving Time in October 2014.  It is reasonable to assume (and we confirm this in our tests) that this DST change was never made in this cracked version of Windows XP.

This unique collection of observations leads to the conclusion that 4.doc was created on a system with Moscow (Western Russia) time zone settings in force.

Given that Guccifer 2 went to some trouble to create 4.doc on a purpose built VM with settings that suggested the use of cracked software combined with the GMT+4 time zone offset – we wonder if Guccifer 2 intended to “telegraph” the fact that 4.doc was written on a system with Russian time zone settings in effect?  If not, why did he bother to make a trivial change to 4.doc on this one particular system (VM)?

Last Saved Time on Guccifer 2’s first 25 Documents Suggest GMT+3 Working Hours

Over the course of about four months (beginning June 15, 2016), Guccifer 2 uploaded approximately 150 documents to his blog site. However, based on “last saved” times, Guccifer only modified and uploaded about 25 documents; the rest were uploaded as is.  We can plot the hour that those 25 Office documents were saved in a histogram (shown below).

g2-blog-file-last-mod-time

This histogram seems to support the conclusion that Guccifer worked on those 25 documents during GMT+3 (Central Europe and Western Russia) working hours.  However, as we show in the following section, there is at least one important data point that strongly contradicts this conclusion.

Guccifer 2’s West Coast Fingerprint

Matt Tait (@pwnallthings), a security blogger/journalist, noticed [archive] a change revision entry in one of the Word documents published by Guccifer 2; this document was uploaded by Guccifer 2 in his second batch of documents, published on June 18, 2016.  That document, named hillary-for-america-fundraising-guidelines-from-agent-letter.docx, had “track changes” enabled in Word; it recorded one of Guccifer 2’s changes that he made under the pseudonym, “Ernesto Che”.

g2-tait-20160618-edit-3

In that tweet, Tait refers to this except from the raw Word document’s XML data.

g2-tait-20160618-edit-1

Before diving into the XML, let’s open the document in Word and have a look at that change made by Guccifer 2.

g2-ernesto-che-track-change

We can see that Mr. Che inserted some spaces in “Kilroy was here” fashion.  This document can be matched with an attachment to this email in the Wikileaks Podesta email collection.  There it does not have “track changes” enabled – this is something that Guccifer 2 added.

The time shown is”12:56:00 AM”, or 56 minutes after midnight.  The date is June 17, 2016 (two days after Guccifer 2’s debut).  This agrees with the XML that Tait noted.  Does it really, though?  We will investigate further.

Let’s set our system’s time zone to UTC+00 (UTC and GMT are equivalent for our purposes), and have a look at the file’s properties.  (After setting the system time zone explicitly, we need to exit Word and restart it for the change to take effect.)  We select the “File” tab, then select “Info” and look at the panel on the right of the screen.

g2-ernesto-che-track-change-props-gmt

The document was last saved at 7:56 AM GMT.  Notice that the minutes value is the same as that shown for the tracked change; they are seven (7) hours apart.  Now that we have GMT set, we take  another look at the ‘track changes” time.  It is the same as when we had the Pacific time zone set (“12:56:00 AM”).  What this tells us is that the track changes entry is expressed in local time not GMT.  The file properties time is, however, expressed in GMT.

With this information, we could stop here and reach our final conclusion, but we will first dig a little deeper into the XML.  We analyzed the document further; we correlated the timestamp on this change made by Guccifer 2 with the document’s last modified time.  The first thing to know is that Word .docx files are encoded as a normal “Zip” file, that includes among other things several XML files.  Our document looks like this after it is unzipped.

g2-ernesto-docx-unzip-treet

We are interested in docProps/core.xml, which has the file’s properties that we just viewed in Word and word/document.xml, which has the document’s main body text; it includes the track changes entry that Tait noticed.

Let’s turn to the document’s properties found in docProps/core.xml.

g2--hfa-fund-raising-doc-props-xml

We notice that the time recorded is 07:56 “Zulu” (GMT).  Referring back to the change history properties, we note that it states that the time is 00:56 AM — apparently 7 hours earlier.  We note (based on our tests) that the change entry’s time is in local time, not “Zulu” time.

g2--hfa-fund-raising-change-xml

To confirm our observation that the change logs record local time, we ran a test on a VM running Windows XP with the time zone offset set to GMT+3.  This is the environment that Guccifer 2 supposedly worked in when he created four of his first five Word documents. As an experiment, we open the same document that Guccifer 2 uploaded and add a single line of text to it.  The document’s “modified” (last saved) time is 16:12 (GMT).

g2--change-info-test-gmt3-props

Next, we query the document’s XML for the change log information.

g2--change-info-test-gmt3-local-time

Here, we see a (local) time of 19:12 which is 3 hours later, as we would expect for a computer (VM) operating with GMT+3 time zone settings in force.  This is how things should have looked if Guccifer 2 had made his change with GMT+3 settings enabled.  Instead, we see a -7 (minus seven) hours offset from GMT.

Based on the original change log timestamp, which is 7 hours earlier than the document’s (GMT based) last modified time, we reach the following surprising conclusion.

Guccifer 2’s document, named hillary-for-america-fundraising-guidelines-from-agent-letter.docx, was saved on a computer which had Pacific Daylight Time (PDT) settings in force.

The PDT Finding Invalidates the Prior GMT+3 Findings

In the first part of this report, we documented our analysis, which provided support for the conclusion that Guccifer 2 may have been operating out of a GMT+3 time zone region.  However, when we place that conclusion against our finding that a document uploaded by Guccifer 2 (in a similar time frame) was likely last saved in a location on the West Coast, US we have to question our GMT+3 findings.

We must now give serious consideration to the idea that all 25 documents (uploaded in three batches over the course of a month) were all generated on the West Coast, US.  Guccifer 2 was possibly working on a VM and/or using a VPN that vectored through Romania or Russia.  Here is how that shift will look if all 25 files were last saved on the West Coast (PDT).

g2-blog-file-last-mod-time-invalid

For those who might suggest that Guccifer 2 intentionally planted his “West Coast fingerprint”, we ask: what was his motive?  His first five documents appear to have been carefully crafted to send the message that they were generated somewhere in Russia, and his working hours appear to be consistent with that conclusion.   Why would Guccifer 2 want to undo his hard work?

Closing Thought

Courtesy: Goodreads

g2-doyle-improbable-quote

Advertisement