The case implicating Russia in the hack of the DNC and Clinton emails, including those of her campaign Manager, John Podesta, rests on suspect meta data in the documents posted by Guccifer 2.0 on line. According to Disobedient Media , “the files that Guccifer 2.0 initially pushed to reporters contained Russian metadata, a Russian stylesheet entry and in some cases embedded Russian error messages.”

CNOs are classified at the highest level in the United States and normally are handled within special restricted categories commonly known as SAPs (i.e, Special Access Programs). A critical element of these kinds of operations is to avoid leaving any fingerprints or clues that would enable the activity to be traced back to the United States. But this is not unique to the United States. All professional intelligence services around the world understand and practice this principle—leave no evidence behind that proves you were there.

Let us first stipulate that Russia and the United States have engaged in cyber espionage and covert action against each other since the dawn of the internet age. Within the U.S. Intelligence Community cyber ops are carried out by the NSA, the CIA and DIA, just to mention three of the more prominent members of the US Intel Community. These activities generally are referred to with the acronym, CNO—i.e., Computer Network Operations.

Special Counsel Robert Mueller is correct in stating that Guccifer 2.0 was a “fictious online persona. ” But he is wrong to claim that Guccifer 2.0 was a creation of the Russian Military Intelligence. Guccifer 2.0 appears to be a creation of the CIA and was one character in a broader scheme assembled to paint Donald Trump as a lackey of Vladimir Putin.

An examination of the Guccifer 2.0 documents shows that the meta data in the Guccifer 2.0 documents were manipulated deliberately to plant Russian fignerprints. This was not an accident nor an oversight due to carelessness by some computer operator.

One type of forensic evidence is meta data. What is meta data? This is geek shorthand to describe physical information or code that is written into a document created by a word processor software when a document is created. This data includes a variety of things, such as the date and time the document was created or modified. It tells you who created the document.

Russia did not hack the DNC. This is not my opinion. It is a conclusion of several cyber security professionals that flows from one very specific, easily tested claim made by the Special Counsel,--that Guccifer 2.0 was a fictional identity created by Russian Military Intelligence, i.e., the GRU. If the GRU had concocted Guccifer 2.0, then the forensic evidence should show that this entity was operating from Russia or under the direct control of entities linked to the GRU.

Why would the Russians make such a mistake, especially in such a high stake operation (targeting a national election with covert action most certainly is a high stake operation). Mueller and the U.S. intelligence community want you to believe that the Russians are just sloppy and careless buffoons. Those ideologically opposed to the Russians readily embrace this nonsenses. But for those who actually have dealt with Russian civilian and military intelligence operatives and operations, the Russians are sophisticated and cautious.

But we do not have to rely on our personal beliefs about the competence or incompetence of the Russians. We simply need to look at the forensic evidence contained in the documents posted by Guccifer 2.0. We will take Robert Mueller and his investigators at their word:

Beginning in or around June 2016, the Conspirators staged and released tens of thousands of the stolen emails and documents. They did so using fictitious online personas, including “DCLeaks” and “Guccifer 2.0.” (p. 2-3)

The Conspirators also used the Guccifer 2.0 persona to release additional stolen documents through a website maintained by an organization (“Organization 1”) [aka WIKILEAKS], that had previously posted documents stolen from U.S. persons, entities, and the U.S. government. (p. 3)

Between in or around June 2016 and October 2016, the Conspirators used Guccifer 2.0 to release documents through WordPress that they had stolen from the DCCC and DNC. The Conspirators, posing as Guccifer 2.0, also shared stolen documents with certain individuals. (p. 15)

An examination of those documents tells a very different story. While it does not reveal who or what was Guccifer 2.0, it does undermine Mueller’s claim that it was the Russians who did these dastardly deeds.

One independent forensic computer investigator, who uses the name, “The Forensicator,” examined the meta data in some of the documents posted by Guccifer 2.0 and discovered the following:

Guccifer 2.0 published a file on 13 September 2016 that was originally copied on 5 July 2016 at approximately 6:45 PM Eastern time. It was copied and appeared as the “NGP VAN” 7zip file.

The estimated speed of transfer was 23 MB/s. This means that this initial data transfer could NOT have been done remotely over the Internet. Instead, it was likely done from a computer system that had direct access to the data. “By “direct access” we mean that the individual who was collecting the data either had physical access to the computer where the data was stored, or the data was copied over a local high-speed network (LAN).”

This initial copying activity was done on a system that used Eastern Daylight Time (EDT) settings and was likely initially copied to a computer running Linux, because the file last modified times all reflect the apparent time of the copy, which is a characteristic of the Linux ‘cp’ command (using default options).

On September 1, 2016, a subset of the initial large collection of DNC related content (the so-called NGP/VAN data), was transferred to working directories on a system running Windows. The .rar files included in the final 7zip file were built from those working directories.

The alleged Russian fingerprints appeared in the first document “leaked” by Guccifer 2.0-- 1.doc—which was a report on Donald Trump. A forensic examination of the documents shows thatgiven the word processor program used to create the Donald Trump Document released by Guccifer 2.0, the author consciously and purposefully used formats that deliberately inserted “Russian fingerprints” into the document. In other words, the meta-data was purposely altered, and documents were pasted into a ‘Russianified’ word document with Russian language settings and style headings.

Here are the key facts:

The meta data shows that Slate_-_Domestic_-_USDA_-_2008-12-20.doc was the template for creating 1.doc, 2.docand 3.doc. This template injected “Warren Flood” as the author value and “GSA” as the company value in those first three Word documents. This template also injected the title, the watermark and header/footer fields found in the final documents (with slight modifications).

The Word documents published in June 2016 by Guccifer 2 also show a “last saved as” user id written in Cyrillic. The Anglicized name is “Felix Edmundovich“, aka “Iron Felix” (the infamous director of an early Soviet spy agency). If you are a Russian cyber spy trying to conduct a covert operation, why do you sign your document with the name of one of the most infamous leaders of Russian intelligence? Robert Mueller wants you to believe that this was just Russian audacity.

But the meta data tells a different story. When we examine The Revision Session Identifiers aka ‘RSID’s, in the Guccifer document, we see the same Russian style-headings in 1.doc, 2.doc and 3.doc. The document creation timestamps on docs 1, 2 and 3 also are all identical.

Given that MS word assigns a new random ‘RSID’ with each save when an element is added or edited (this function allows one to track changes made to a Word document), the only way to obtain identical creation timestamps means that someone either directly edited the source document or that there was one empty document open and that individual documents were copy-pasted and saved-as (1.doc), then contents deleted and new doc pasted and saved-as (2.doc), etc. This process also explains identical style-sheet RSIDs.