Guccifer 2.0: Evidence Versus GRU Attribution

By Adam Carter --- December 20, 2019

It has been accepted as fact that Guccifer 2.0, an Internet ”persona” that claimed credit for hacking the Democratic National Committee (DNC) in 2016, was controlled by Russian military intelligence (the GRU).

The evidence presented by Special Counsel Robert Mueller to support this key claim, however, is far from conclusive. Over the past three years independent researchers have uncovered major inconsistencies in the evidence adduced to support the "GRUccifer" premise. In fact, we have found abundant countervailing technical evidence.

The forensic evidence our independent research has produced demonstrates, for example, that some of Guccifer 2.0's “Russian breadcrumbs” were created by deliberate processes and conscious choices made by those behind the persona in a transparent attempt to blame Russia. In addition, independent digital forensic investigations have yielded a considerable volume of hard evidence that Guccifer 2.0 was operating within US timezones and with local settings peculiar to a device configured for use within the US.

Our forensic findings sit alongside constantly accumulating evidence that Guccifer 2.0 had transferred files using USB storage devices (such as thumbdrives).

The following article highlights discoveries made by independent forensic researchers. Their conclusions rest largely on hard evidence that has been ignored, omitted or suppressed in mainstream media and demonstrate that there is significant, evidence-based data dictating high skepticism for claims that Guccifer 2.0 was controlled by the GRU.



CONTENTS

Introduction

Evidence For Attribution Of Guccifer 2.0 To The GRU Is Weak

The Netyksho indictment published in Summer 2018 and the Mueller report that followed it in Spring 2019 both allege that the Guccifer 2.0 persona was controlled by Russian military intelligence (GRU).

However, the evidence presented to us in these documents (and other published documents, assessments, etc) fails to conclusively demonstrate that the GRU were responsible for that which has been attributed to them.

We've seen no evidence that conclusively demonstrates that named GRU officers were responsible for the activities attributed to them, that infrastructure used was really under the GRU's control, that anonymous payments and bitcoin pools used were truly controlled by the GRU or that the GRU were genuinely responsible for the malware discovered at the DNC.

Considerable Volume of Countervailing Evidence Discovered And Mostly Suppressed In Mainstream Media

During the past three years, independent researchers from around the globe have investigated Guccifer 2.0 and have found many puzzle pieces that do not fit in with the claims made by the Special Counsel and Intelligence Community leaders.

The available evidence, when fully understood, provides ample justification for skepticism of the attribution of Guccifer 2.0 to the GRU.

Almost all of the evidence covered in this article has been suppressed or distorted by mainstream media. Typically it's just ignored but when that ceases to be an option strawman attacks are sought out instead (and these have typically focused on a comment made in passing within conclusion #7 of Forensicator's NGP-VAN analysis).

Before Guccifer 2.0 Emerged

On June 12, 2016, in an interview with ITV's Robert Peston, Julian Assange confirmed that WikiLeaks had emails relating to Hillary Clinton that they would be publishing. This announcement was prior to any reported contact with Guccifer 2.0 (or with DCLeaks).

On June 14, 2016, an article was published in the Washington Post citing statements from two CrowdStrike executives alleging that Russian intelligence hacked the DNC and stolen opposition research on Trump. Although the research was allegedly stolen over a month prior to this, the article reveals that the statements came from the reporter speaking with those executives just prior to the article being published as the executives also mentioned they discovered that hackers were still on the network just prior to Assange's interview (conveniently making it so that, in theory, whatever Assange had possession of could have been the fault of those hackers).

On June 15, 2016, Guccifer 2.0 appeared and produced evidence purportedly from the alleged hacking incident, which, at first, seemed to provide legitimate corroboration of the hacking claims.

Day One: On The Surface

On June 15, 2016, those behind the Guccifer 2.0 persona:

Day One: Needless Searches Via A Proxy In Moscow & No Evidence To Show It Was Controlled By GRU

As covered above, we have been told that the GRU logged into a server in Moscow through which they carried out a number of searches.

Why would the Guccifer 2.0 operation need to search for these already-translated terms (several of which would later appear in his first blog post)?

If it was a Russian looking for the right term to use, entering all of these in Russian into Google translate would be far more understandable.

Going further, if this was the GRU and they were going to go to the trouble of using a proxy to carry out these searches, would they really choose to use one on their own doorstep?

While the server through which these searches were carried out is claimed to have been used by GRU officers, there doesn't appear to be any evidence available to support this nor has there been any explanation of how this was determined.

Day One: Guccifer 2.0's Russian VPN Service

In July, 2016, ThreatConnect published an article titled "Guccifer 2.0: All Roads Lead To Russia" that revealed the Guccifer 2.0 operation used a Russian VPN service to mask its origin.

Guccifer 2.0 then emailed various news outlets without taking any further measures to conceal the Russian origin of the VPN service (such as routing traffic through TOR, etc).

Clumsily, the persona even managed to pick a mail service provider (AOL.fr) that forwarded the sender's IP address within the email headers, making it possible to trace Guccifer 2.0's use of the VPN service without even needing to get assistance from the mail service provider.

ThreatConnect's analysis did speculate that Guccifer 2.0 could have been using a private or exclusive VPN node, however, it was later discovered that this was actually a server listed as "Default" (but in Russian language) in the screenshot ThreatConnect used in reference to this.

[Based on this correspondence, it seems I may have been the first person to bother reaching out to EliteVPN to inquire about the topic of Guccifer 2.0 using their services. I was surprised by this as I figured mainstream press would have carried out due diligence and contacted the firm long before I started investigating.]

Day One: Selectively Smiling In Russian?

Guccifer 2.0 used a 'Russian smiley' ")))" in his first blog post.

Some media outlets speculated that this showed Guccifer 2.0 was using a Russian keyboard, however, this appears to be based on little more than assumptions.

Guccifer 2.0 only ever used this twice and used what most of us are familiar with as a 'smiley' (ie. ":)") far more frequently (we can see examples of this in his Twitter DMs with Motherboard/Vice and also with Robbin Young).

Was this really a slip-up or was it contrived?

Day One: A Claim Of Sending Material To WikiLeaks (Contradicted By Subsequent Communications)

Guccifer 2.0 did claim in his first blog post:

This claim not only implies that Guccifer 2.0 sent content to WikiLeaks but that WikiLeaks had already responded and provided information on intention to publish them.

However, a tweet by WikiLeaks in response to this showed WikiLeaks were skeptical, didn't confirm his claims and clearly doubted that he was really a hacker:

Going further, the Special Counsel investigation presented June 22, 2016 as being the first date on which contact between WikiLeaks and Guccifer 2.0 occurred and pointed out that the communication, via Twitter DMs (direct messages), involved WikiLeaks recommending that the persona send them material as it would have a higher impact than what Guccifer 2.0 was doing with the material.

It also makes clear that neither DCLeaks or Guccifer 2.0 tried to contact Assange until AFTER he had announced that WikiLeaks were in possession of emails relating to Hillary Clinton (which occurred on June 12, 2016).

It should be noted that, in the Mueller report, "[stolen from the DNC]" is an editorial insert. So, we're not only seeing the Special Counsel cherry-picking sentences and citing them out of context, they're also injecting their own context.

Based on what we are led to believe, the GRU is alleged to have carried out internal communications via Twitter DMs, which again, seems insanely sloppy when they could have just sent an internal memo, internal email, discussed this over lunch or made a call between departments (assuming the GRU attribution is accurate):

We have reasons to doubt Guccifer 2.0's initial claims of sending content to WikiLeaks and if DCLeaks and Guccifer 2.0 were really two departments of the GRU, the GRU must have terrible operational security and no common sense.

Day One: Document Source Discrepancy

At first, it seemed that Guccifer 2.0 was presenting proof of hacking the DNC with the copy of the Trump Opposition Research he released. (Guccifer 2.0's own published statements even asserted that the persona acquired these files from the DNC.)

However, it has been discovered that the copy of the document used appears to have originated from John Podesta's GMail mailbox rather than the DNC.

In May 2017, a blogger with the screen name "JimmysLlama" posted an article to their site highlighting the fact that despite Guccifer 2.0 claiming to have hacked the DNC, the documents they published included a lot of emails that appeared to have come from John Podesta's GMail mailbox (which was reportedly phished in March of 2016).

There was also affirmation that came from a former DNC official on the origin of the research document.

In November 2017, an article was published by AP (Associated Press) titled "Inside Story: How Russians Hacked the Democrats' emails":

Thanks to Forensicator's subsequent analysis, we can see that all of Guccifer 2.0's first five documents probably came from Podesta's emails and we also know Warren Flood's name came from another attachment to one of Podesta's other emails (and that the "CONFIDENTIAL" watermark in Guccifer 2.0's copy of the research document originated from this, rather than being manually added in, as mainstream media articles suggested).

Guccifer 2.0 lied about the source of his documents to align with claims that were published just one day before he appeared.

Day One: Digital Forensic Analysis Exposes Deliberate Construction Process Behind Presence Of Cyrillic Metadata

In February 2017, a researcher by the name "tvor_22" published an article titled "Russia And WikiLeaks: The Case Of The Gilded Guccifer". In it, the author outlines a discovery made in relation to the first three files Guccifer 2.0 published.

Without going into the tedious technical details, it showed that, despite the documents being from different authors, evidence within the files indicated that those particular copies of the documents all came from a shared source and strangely showed someone named Warren Flood as the author rather than the original author of each document.

[We knew who the real author of the Trump Opposition research was early on because we found the original document attached to a Podesta email published by WikiLeaks.]

Following on from this, further observations were made by other researchers and it was possible to determine some basic facts about the process used by Guccifer 2.0 to create the first three documents released.

Guccifer 2.0's process involved creating a version of the Trump opposition research that was tainted with Russian metadata which was then used as a template to create further tainted documents.

This went beyond anything we would expect from someone accidentally mishandling the files.

While the purpose and motives behind this are open to speculation we can at least say this was a deliberate process. So, the name of Felix Dzerzhinsky aka Iron Felix being present (in Russian language) on the documents actually came about through a deliberate process.

In retrospect, this shouldn't come as big surprise. Dzerzhinsky has been dead for over 90 years (the GRU even had a statue of him outside their headquarters in the past).

In early 2017, it was discovered that the Russian metadata left behind in Guccifer 2.0's first batch of documents came about due to an unusual and deliberate construction process inconsistent with someone accidentally mishandling documents.

Day One: Embedded Russian Language Error Messages Also Appear To Have Been Deliberate

Error messages in Russian language were literally embedded into Guccifer 2.0's version of the Trump opposition research and, as is true for the metadata, the more known about the process (how the evidence came to be), the more bizarre things get.

Forensicator detailed the evidence of this in an article titled: "Did Guccifer 2.0 Plant His Russian Fingerprints" (published in April, 2018) and discovered that the presence of Russian language error messages in Guccifer 2.0's Trump opposition research came from a convoluted process involving numerous stages (and those behind the persona would have been notified that the error messages were going to be translated, something that Forensicator covered in another article titled "Media Mishaps: Early Guccifer 2 Coverage" that was published in May 2018).

Both the RichText format version published on his site and most versions published by journalists had these embedded error messages in them.

The process outlined by Forensicator was as follows:

A particular source document, the “Trump opposition report” was chosen. Out of over 2000 Word (.docx) documents in the Podesta email collection, only four (4) contain problematic URL’s that will cause Word 2007 to mis-handle them and to incorrectly diagnose them as invalid. The other three (3) potential source documents have no particular significance to the Trump 2016 election campaign.



Thus, only the “Trump opposition report” has some significance and has the necessary characteristics which after several unusual steps leads to the final 1.doc document that has embedded Russian error messages in it. Guccifer 2 leaked this document to the media before publishing it on his blog site later that same day.



Word 2007 was used to create the document. Based on our testing, only Word 2007 has a bug that is triggered by problematic URL’s in the “Trump opposition report”.



Russian language settings were enabled, both in Word and at the system level. This ensured that the embedded error messages are displayed in Russian (using the Cyrillic alphabet).



Some of the hyperlink addresses in the “Trump opposition report” reference URL’s with ‘%20’ (HTML space) characters in them. These URL’s triggered a bug in Word 2007.

When the source document (the original “Trump opposition report”) is first opened, Word 2007 will issue a warning that there are problems with the document’s content. The user will have to confirm twice that he acknowledges the presence of those errors and wants Word 2007 to attempt a recovery.



The attempted recovery will be only partially successful; the problematic URL’s will be converted into empty URL’s. When this new file is saved in RTF format and then subsequently opened again, Word 2007 will diagnose those empty URL’s as invalid and display a locale-specific error message.



The choice of the RTF file format is unusual and surprising. RTF has not been in wide use for over 25 years. In fact, Word 2010 deprecated support for RTF. RTF is the only format that will retain the embedded Russian error messages that are found inside the final 1.doc document.



A copy/paste from the initially saved RTF file to another (empty template) document, followed by another “Save as (RTF)” operation is a necessary additional step, needed to embed the Russian error messages into 1.doc.



This copy/paste operation followed by a second “Save as (RTF)” operation will embed the Russian error messages into the URL’s text display value of the faulty hyperlink fields inside 1.doc. These embedded Russian error messages will become known as the “Russian fingerprints”. They appeared in the PDF files (derived from 1.doc) that were analyzed by various journalists/researchers.

Day One In Retrospect

The entity we are told is a clandestine campaign to interfere in the US election by Russia's military intelligence (GRU)...

Carried out searches for already translated terms that would later appear in Guccifer 2.0's first blog post and chose to use a proxy server in Moscow to do this.



Chose to use a Russian smiley in its first blog post.



Chose to use a Russian VPN service to cover their tracks.



Chose to use a mail service provider that exposed the VPN node IP address through which it contacted journalists.



Sent journalists documents that had Russian metadata in them that came from a process we know to have been deliberate (and errors that Guccifer 2.0 will have known were going to be translated into Russian) and also posted these to his blog along with other documents that were also edited that day for some reason.



Stated that they sent content to WikiLeaks even though later communications suggest this hadn't occurred and the Special Counsel doesn't appear to have found any communications between each party prior to June 22, 2016.



Misled journalists about the source of their copy of the Trump opposition research, claiming to have hacked it from the DNC when it really came from Podesta's emails.

Already, on day one, we have exposed a deliberate process behind some of Guccifer 2.0 Russian breadcrumbs and caught them lying about the source of their documents.

A false claim about the source of his version of the Trump opposition research document and the deliberate construction process that led to the documents being tainted both served to give false corroboration of claims that were published just one day before Guccifer 2.0 appeared.



Guccifer 2.0's apparent corroboration of the claims involved at least two deceptions.

Continued Needless Editing Creates A Tapestry Of Questionable & Conflicted Russian Metadata

Continuing the theme of unnecessary editing and apparent sloppiness, Guccifer 2.0 continued to release files tainted with Russian indicia in one form or another over the months that followed his appearance.

In numerous instances, editing was needless, involving little more than making a whitespace change to the content (enabling metadata, language settings, etc to be written back to the document by the application without making any noticeable alteration to the content).

This occurred over a range of dates spanning several batches of files that were released by Guccifer 2.0. Of the 175 documents uploaded to his blog, 36 were needlessly edited.

While there were some Romanian breadcrumbs these appeared only once, in files published on June 30, 2016. (This was 7 days after Guccifer 2.0 first claimed to have been a Romanian.)



source: https://theforensicator.wordpress.com/guccifer-2s-russian-breadcrumbs/

Full details of this and much more are covered in detail in Forensicator's "Guccifer 2's Russian Breadcrumbs" analysis.

June 18, 2016 (and June 30, 2016): Documents With "Track Changes" Enabled Record PDT Timezones

One of Guccifer 2.0's documents that were edited on June 18, 2016 (link) and that had its language set to Russian also had track changes enabled and this subsequently recorded an indicator of a PDT timezone setting being in effect.

Another of Guccifer 2.0's documents, edited on June 30, 2016 (link) had its language set to Romanian but also had track changes enabled, subsequently recorded an indicator of a PDT timezone setting being in effect.

Forensicator covered this in detail back on May 29, 2018 in an article titled "Guccifer 2’s West Coast Fingerprint" (and goes further, explaining that these discoveries put into question the GMT+3 indications found in the files that Guccifer 2.0 had modified).

June 18, 2016 (and June 30, 2016): Guccifer 2.0's Decimal Separator In System Settings Points To A Different Locale From The One Implied By Language Settings In Microsoft Word

On April 29, 2019, Forensicator published an article titled: "More Evidence that Guccifer 2 Planted His Russian Breadcrumbs" that covered another anomaly discovered in various files.

The decimal separator (which comes from operating system configuration but is recorded in Microsoft Word documents) conflicted with Russian (and Romanian) language settings in all but one instance.

(Direct links to all of the above documents on Guccifer 2.0's site can found in the links section at the end of this article.)

Forensicator then sought out examples of documents from genuine Russian/Romanian sources, to contast this with:

So, the Russian and Romanian language indications found in almost all of Guccifer 2.0's files released on these dates were contradicted by locale settings that come from the operating system and that imply a different origin to Russia (or Romania).

June 21, 2016: Published Archive Reveals Indicators Of A Local Transfer & Central Timezone.

On June 21, 2016, Guccifer 2.0 released an archive (Zip file) containing files related to Hillary Clinton ("HRC_pass.zip") in a blog post titled "Dossier On Hillary Clinton From DNC".

[One of the links, hosted by MediaFire is still operational at the time of writing (link)]

On August 28, 2018, researcher Bruce Leidl published analysis of the archive under the title "The HRC_pass..zip documents" that detailed a discovery of the archive being compiled while Central (US) timezone settings were in effect.

This was later followed up by Forensicator on May 27, 2019, in an article titled: "Transfer Rate Suggests Guccifer 2 used a Thumb Drive in the US Central Timezone" (from which the above image is sourced).

Forensicator highlights transfer speeds drawn from file creation times that provide a transfer rate in line with USB 2.0 combined with a 2-second rounding fact pattern observed with the files in the archive. These, together, suggest that the files were most likely transferred from a USB device shortly prior to creating the archive.



Leidl's discovery shows that whatever the case was (ie. regardless of Forensicator's USB-transfer-being-probable finding), Guccifer 2.0 constructed the "HRC_pass.zip" archive while Central timezone settings were in effect.

June 27, 2016: Email Communications Reveal Indicator Of Central Timezone

On June 27, 2016, Guccifer 2.0 engaged in a conversation with a reporter at The Smoking Gun. The local time written to the thread throughout (written by each side when replying to the other's responses) has made it possible to determine what timezone Guccifer 2.0's local time was set to.

On September 19, 2017, analyst Stephen McIntyre published an article titled "Guccifer 2 Email Time Zone" stating:

First, here is a screenshot of an email from guccifer20@aol.fr to The Smoking Gun offering emails on Hillary Clinton’s staff. (For orientation, this is three weeks after Trump Jr’s meeting and one week after the first memo in the Steele dossier.) It’s received at 3:43 PM Eastern (Daylight).







TSG replied a few minutes later, expressing interest, resulting in a second email from Guccifer 2 (Stephan Orphan) at 4:18 PM (Eastern). Within the thread, there is timestamp information on the timezone of G2’s computer: Guccifer 2 received his answer from Smoking Gun at 14:46- implying his timezone is reading one hour earlier i.e. Central.





McIntyre followed this up showing this occurred again later and included another screenshot highlighting it (see below).

It would seem, based on this evidence, that Guccifer 2.0's local time when sending emails was, for whatever reason, set in line with Central US (CDT) time.

June 27, 2016: Guccifer 2.0 Lying About WikiLeaks & Allegedly Using Twitter DMs For Intra-Agency Communication

In the email cited in the previous section, we can see that Guccifer 2.0 claimed to The Smoking Gun that DCLeaks was a "sub-project" of WikiLeaks. However, as ThreatConnect pointed out on August 12, 2016, there was no evidence to support this claim.

Also, as we can see from pages 46 and 47 of the Mueller report, Guccifer 2.0 later contacted DCLeaks (on September 15, 2016) and allegedly told them that WikiLeaks was wanting to get in contact with them.

If those behind Guccifer 2.0 genuinely believed that DCLeaks was really a "sub-project" of WikiLeaks, they shouldn't have felt compelled to make such a communication, yet they did.

Clearly Guccifer 2.0 lied about WikiLeaks and DCLeaks and then tried to encourage communications between the two.



It's also odd (based on the assumption that the GRU attribution is accurate) that the GRU would carry out intra-agency communications via Twitter DMs when they could have just communicated this via internal emails/memos, private meetings or discussed it over lunch in the canteen.

July 6, 2016: Using LibreOffice To Edit A Document While Eastern Timezone Settings Were In Effect

According to the available evidence, on July 6, 2016, Guccifer 2.0 used a copy of LibreOffice to edit several documents and posted them to his blog in an article titled "Trumpocalypse and other DNC plans for July".

The files were originally analyzed by Forensicator and reported on in his "Guccifer 2.0's Russian Breadcrumbs" article. As, initially, it appeared as though the local timezone setting Guccifer 2.0 had been using was GMT+4 (which could have qualified it as a Russian breadcrumb).

However, Stephen McIntyre followed up on this, highlighting a bug in the version of LibreOffice that Guccifer 2.0 used that caused local time and zulu time to be recorded incorrectly (the wrong way around):

It turned out that the timezone Guccifer 2.0 had set when editing on this occasion was actually GMT -4 (US Eastern DST).

Forensicator covered this in a subsequent article titled: "Guccifer 2 Returns To The East Coast" and explained how the timezone can be ascertained:

Modern Microsoft Office documents are generally a collection of XML files and image files. This collection of files is packaged as a Zip file. LibreOffice can save documents in a Microsoft Office compatible format, but its file format differs in two important details: (1) the GMT time that the file was saved is recorded in the Zip file components that make up the final document and (2) the document internal last saved time is recorded as local time (unlike Microsoft Word, which records it as a GMT [UTC] value).

Forensicator also provided a method for extracting both timestamps from such files:

Evidence implies that, on July 6, 2016, Guccifer 2.0 edited documents while Eastern timezone settings were in effect on the device he was using.

September 1, 2016: Compiling An Archive With Eastern Timezone Setting In Effect

On September 12, 2016, Guccifer 2.0 posted an announcement to Twitter regarding "The Future of Cyber Security Europe 2016", an event that was planned for the following day:

At the event, a speech apparently written by Guccifer 2.0 was read out in his absence and reported on by mainstream press and a file was released alongside this.

The file was a 7-zip archive with the filename "7dc58-ngp-van.7z" containing files related to NGP-VAN, a privately owned voter database and web hosting service provider used by the Democratic Party and Democratic campaigns.

During the Summer, 2017, this archive was scrutinized by Forensicator and a study titled "Guccifer 2.0 NGP/VAN Metadata Analysis" was subsequently published that highlighted some interesting discoveries.

The files inside the archive were, according to the available evidence, transferred on July 5, 2016, at speeds averaging around 23MB/s (though the peak rate was considerably higher). The speeds observed correlated well with USB transfer speeds and, especially when considering the peak rate and transfer rates available, seems to have been too fast for an Internet transfer at that point in time (mid 2016).

It was also noted that:

On September 1, 2016, two months after copying the initial large collection of (alleged) DNC related content (the so-called NGP/VAN data), a subset was transferred to working directories on a system running Windows. The .rar files included in the final 7zip file were built from those working directories.

The computer system where the working directories were built had Eastern Daylight Time (EDT) settings in force. Most likely, this system was located somewhere on the East Coast.

The .rar files and plain files that eventually end up in the “NGP VAN” 7zip file disclosed by Guccifer 2.0 on 9/13/2016 were likely first copied to a USB flash drive, which served as the source data for the final 7zip file. There is no information to determine when or where the final 7zip file was built.

It was possible to determine the timezone setting because contemporaneous files existed inside and outside of the RAR files and because the RAR files recorded timestamps according to local time while the 7-zip archive recorded timestamps in UTC (universal coordinated) format.

Forensicator showed that, when viewing the archive from the PDT timezone there was a three hour shift:

It was discovered that the only way for these to align was to view the archive while EDT timezone settings were in effect.

Additionally, doing this also meant most of the folder timestamps (dated September 1, 2016) within the RAR files were close to the last modified timestamps of the RAR files (this was the case for eleven of the thirteen RAR files contained within the 7-zip archive).

So, it would seem that the RAR files were constructed while Eastern timezone settings were in effect (whether we gauge this on the July 5 timestamps or September 1 timestamps).

It was also noted that the files in the 7-zip's root directory had been rounded to the nearest 2 seconds (which was not caused by 7-zip as it stores timestamps with higher precision) and that the path data was empty (suggesting that the the files were archived directly from the root directory of the source storage device used).

Both of these facts together suggest a USB storage device had been used to transfer the RARs (and a few other files) and that the 7-zip archive was constructed from the files that were stored on that USB storage device.

The evidence suggests that Guccifer 2.0 created RAR archives on September 1, 2016 while Eastern timezone settings were in effect and the files were then moved to a USB device (or were constructed and written directly onto that device).



The files on this device were then used to construct the 7-zip archive that was subsequently released at the "The Future of Cyber Security Europe 2016" event on September 13, 2016.

October 4, 2016: CF.7z Archive Released Reveals Yet Another Central Timezone Indication

On October 4, 2016, Guccifer 2.0 posted an article to its blog titled "Guccifer 2.0 Hacked Clinton Foundation" containing links to another 7-zip archive (which, at the time of writing, is still available here).

On September 18, 2017 (a couple of months after Forensicator's analysis of the NGP-VAN archive), Stephen McIntyre published an article titled "Time Zone of Guccifer 2 cf.7z".

McIntyre noted:

Guccifer 2’s other 7z dossier (cf.7z) was released on October 4, 2016 in a blogpost promising (but not delivering) salacious details of the Clinton Foundation. Like the previous dossier, the documents in cf.7z are mundane administration details of the Democratic Party of Virginia (DPVA) – not even the DNC. Whereas the documents of ngpvan.7z were all extremely stale (most recent documents from 2011), cf.7z consists of documents from 2013-2016. Its most recent document is from June 1-2, 2016, but documents originating after April 2016 are very sparse.



Three directories contain documents with modification dates of July 5, 2016. From the time gaps in the ngpvan.7z dossier, Forensicator had postulated that a much larger copying operation had taken place on July 5. The cf.7z documents with modification dates of July 5 seem to originate from this larger copy operation – but display as exactly one hour earlier, indicating a difference in time zone display rather than a different origin. The earliest time in the ngpvan.7z dossier was 18:39; the documents in the cf.7z/OFA directory (152.6 MB) have modification times between 17:34 and 17:38, immediately preceding allowing for the postulated one hour time zone difference.



and concluded:

It seems certain to me that the DonorsByMM_2.xlsx document in each archive originated in a single copy operation with metadata differences arising from later processing. The timezone of the cf.7z dossier has somehow been set one hour earlier than the time zone of the ngpvan.7z dossier, which Forensicator deduced as Eastern North America. This implies Central time zone. In addition, somewhat different techniques were used in the preparation of the two dossiers.

So, the compilation of CF.7z archive seems to have involved the processing of files while central timezone settings were in effect.

Forensicator also followed up on this in an article published on September 19, 2016, titled "Guccifer 2.0 CF Files Metadata Analysis" that presented the following findings:

The CF files (dated 2016-07-05) fall into gaps in the NGP/VAN file time line. One large directory, OFA, precedes the earliest NGP/VAN file by about 1 minute.

The fact that the CF files’ last mod times generally fall into gaps in the NGP/VAN file time line affirms the Forensicator’s conclusion in the Guccifer 2.0 NGP/VAN Metadata Analysis report that the NGP/VAN time gaps were likely due to deliberate selection from a larger collection, and the gaps were not due to “think time”. This confirmation will be fed back into the NGP/VAN analysis as an update.

The last mod times of all the files in the cf.7z archive are all even multiples of two (2) seconds, indicating that this material was copied to a FAT-formatted media (e.g., a USB thumb drive) before the final cf.7z 7zip file was built from the files on that media.

The last mod times in the CF files (dated 2016-07-05) appear to be one hour earlier than those recorded in the NGP/VAN files. The Forensicator proposes a scenario where a FAT-formatted media (e.g., USB thumb drive) was written while in a location where Central US time zone settings were in force. This FAT-formatted media was then transported to a location where Eastern US time zone settings were in force. There, the material on the thumb drive was copied to an NTFS-formatted hard drive and the final (cf.7z) 7zip file was built from this copy of the files present on the hard drive. The result of this long chain of events is a series of CF files that appear to be time stamped one hour earlier than those in the NGP/VAN archive.

There are an extensive number of time gaps that are internal to directories in the CF files. This indicates that either the files were pulled from different source directories into a single destination directory (as is the case for the Donor Research and Prospecting directory), or the files were heavily curated/redacted (as appears to be the case for the OFA directory). (Worth noting, the NGP/VAN files did not have significant time gaps internal to any of the top level directories.)

have significant time gaps internal to any of the top level directories.) The two (2) second granularity of the time stamps of the CF files prevents making a reliable transfer speed estimate for those files.

It was noted that some of the files found in the CF.7z archive, once timestamps were adjusted to account for the one hour difference, fitted neatly into gaps in the July 5, 2016, copying/transfer process:



From this chart, we observe: The CF files are in blue and the NGP/VAN files are in green.

Generally, only the first and last files in each group are shown, though a few additional files of interest have been added.

A blue arrow shows where the CF files fit into time slots in the NGP/VAN collection. The OFA directory in the CF file collection precedes the earliest NGP/VAN file by approximately one minute.

As discussed earlier, a few of the CF files match the NGP/VAN files by name. They are shown in this chart as occupying a time slot in the NGP-VAN file time line, because there is room and their position in the time line is consistent with the rounding rules for FAT-based time stamps.

With the CF.7z archive, it appears Guccifer 2.0's collation of files occurred while Central (US) timezone settings were in effect.



Additionally, the files used in this archive appear to have been contemporaneous with those released in the NGP-VAN archive.

October 18, 2016: Guccifer 2.0 Mixes Russian Timezone Indications with US/English Date Formats

On October 18, 2016, Guccifer 2.0 published screenshots of emails to his blog in an article titled "Trump’s taxes: Clinton campaign prepares a new provocation".

Forensicator scrutinized the metadata displayed in screenshots in his "Guccifer 2’s Russian Breadcrumbs" article:

and stated:

By observing the sender’s time both as the sender expressed it and as Guccifer 2 viewed it, we conclude that the system that Guccifer 2 used when taking this screen shot had GMT+3 time settings in effect. All three emails show that GMT+3 time settings were in effect. After 2014, Moscow, Ukraine, and Central Europe all adopted a GMT+3 time regime, during the summer.



Although this GMT+3 time indication is obvious and can be determined without special tools, it seemed to go unnoticed both by the media and a large community of researchers. Perhaps they had grown tired of Guccifer 2’s online antics and no longer critically reviewed his posts. It seems quite likely however that a professional forensics analyst tasked with tracking Guccifer 2 would quickly notice this GMT+3 indication.

Although this finding revealed an indicator that supports the premise of Guccifer 2.0 operating from within a timezone consistent with Russia, Forensicator also discovered something that conflicted with this:

In the email screenshots discussed earlier, we noted that some of them had GMT+3 timezone settings in force when the screenshots were taken. In contrast, however, we see below that the screenshots use United States style date formats.







It is understandable that the month and day names are written in English (not Russian, or Romanian); however, it is interesting that the date ordering and syntax are written in the style used in the US.

Forensicator also explained that we would expect “May 16, 2016 5:46:18 PM” to be written “16 May 2015 17:46:18” and “1/16/2015 11:36 PM” to be written “16.01.2015 23:36” if this were in accordance with the standard used in Europe and Russia.

The screenshots provided a mix of a timezone indications consistent with Russia but a date format consistent with locale settings used in the United States.

Independently Recorded: Blogging & Social Media Activities Placed Guccifer 2.0 In Central US Timezone

Guccifer 2.0 tweeted and also posted (and updated) content on his blog.

The times of his activities were independently recorded by Twitter and WordPress.

This data was collected and analyzed to try to get some insight into Guccifer 2.0's hours of activity.

On October 2, 2017, this author published an article titled: "Guccifer 2.0 Twitter And Blogging Activity Fits Central (US) Timezone" that reported on the data acquired and included charts showing the activity as it would appear from different timezones for typical day-time working hours.

Forensicator also produced an RMSD (root mean square deviation) chart from the captured data. It is at its lowest point where the timezone offset best fits in with work day hours (9 to 5).

The activity, in both cases, most neatly correlated with what we would expect to see from someone in the US Central timezone.

Dissent & Debunking Attempts

Unsurprisingly, we have seen dissent and attempts to debunk the discoveries that have been made.

In this section we address dissent that seems to have gained traction in mainstream press.

RSID Attributes Cloned Through Other Means?

"RSID" stands for Revision Save ID. Microsoft's OpenXML documentation provides the following definition:

"This element specifies the revision save ID that was associated with a single editing session for a document. An editing session is a span of time that begins and ends with any event that produces an editable file, such as a save or an e-mail send, and contains no such event."

The RSIDs have been used to demonstrate that Guccifer 2.0's first three documents all originated from the same source document.

We have seen speculation suggesting the RSIDs may have transferred across these documents simply from copying and pasting content.

So, we tested the theory and it didn't stand up to scrutiny. If these RSIDs had came about from copying and pasting they would have been accompanied by additional tags or attributes that would have referenced the revision save session in which the copying/pasting occurred. With Guccifer 2.0's documents, evidence of these RSIDs being transferred by copying and pasting is absent.

NGP-VAN Timestamp Tampering

Some critics have claimed that Guccifer 2.0 tampered with his NGP-VAN archive timestamps due to a statistical anomaly that seems to arise when two thirds of the timestamp data is arbitrarily discarded.

Forensicator has highlighted a few problems with this and argues that file and directory times actually clash when transfer durations are being accounted for (timestamps only show us when the disk writing operation ended).

In addition to this, I've noticed that the "DNC.rar" archive (within the NGP-VAN archive) has a lower minutes-past-the-hour value than it's contents do:

This suggests the contents got their timestamps from an hour prior to when the archive did (even when we ignore the dates and hours as the tampering theory calls for). This inherently contradicts the premise of the activity originating within the same hour and provides another reason to doubt the validity of the timestamp tampering theory.

Timestamps Can Be Manipulated

Of course we know that timestamps can be manipulated, this is why we give consideration to which timestamps were obvious and easily found versus those that were obscure and likely to have been overlooked by those behind the Guccifer 2.0 operation.

We also gave consideration to the purpose of planting misleading information.

We know Guccifer 2.0 claimed to be Romanian, so we can understand why there would be Romanian language indicators planted.

We can see Guccifer 2.0 produced Russian breadcrumbs through deliberate processes so we can see a reason for such indicators being planted (or, from the perspective of others, we can explain the Russian breadcrumbs because "Guccifer 2.0 must be a GRU officer!").

But what do we make of the breadcrumbs pointing at the United States?

For what purpose would these have been planted considering these conflict with the Romanian identity Guccifer 2.0 was claiming and conflict with the Russian identity that other breadcrumbs point to?

No doubt some 'expert' will chime in with "It's just Russians trying to confuse you", however, the US indications were not obvious. As such, Guccifer 2.0 probably left all or most of them unintentionally.

Finally, as the previous section covered, we also sought to determine activity times based on timestamps that are independently recorded and these have correlated with what we'd expect to see from someone operating in the Central timezone too.

Conclusion

We have found that some of Guccifer 2.0's Russian breadcrumbs were created through deliberate processes and some of the evidence providing Russian signals seems contrived.

We have found that, when digging beyond the Russian breadcrumbs scattered on the surface, there are conflicts that point to other locales (within the US).

Regarding timezone indicia, we have found more unique types of timezone indication that point to US timezones than Russian for which we haven't seen a coherent explanation.

There are numerous inconsistencies in the evidence relied upon by those attributing Guccifer 2.0 to the GRU and a significant volume of evidence exists that, especially for timezone indicators, almost uniformly suggests a different origin for Guccifer 2.0.

We don't need conspiracy theories.

The available evidence, considered in aggregate, clearly provides ample justification for skepticism of the GRU attribution.

Appendix A: Links To Files Referenced

HRC_Pass.zip archived while CDT timezone in effect (via this page on G2's blog):

CF.7z archive (via this page on G2's blog):

NGP-VAN archive:

First batch of documents from day Guccifer 2.0 appeared:

PDT timezone recorded via track changes:

Document Edited & Published On July 6:

Decimal separator mismatching with language settings:

Appendix B: Links To Research & Articles