Recently, Duncan Campbell published an article in Computer Weekly titled: Briton ran pro-Kremlin disinformation campaign that helped Trump deny Russian links [archive]. Mr. Campbell casts a wide net, pulling various people into his story of alleged pro-Kremlin conspiracy. In this article, Forensicator will address Campbell’s sensational claims and theories about Forensicator’s identity, alliances, motives, and methods. In short, Forensicator is not a GRU operative, not Adam Carter’s alter ego, and is not a pawn in Guccifer 2’s grand game of chess.

Introduction

Forensicator is an anonymous online blogger who has written several reports which analyze various document dumps made by Guccifer 2. Forensicator’s first report, Guccifer 2.0 NGP/VAN Metadata Analysis, was published July 9, 2017; Elizabeth Vos of Disobedient Media covered that report in an article titled, New Research Shows Guccifer 2.0 Files Were Copied Locally, Not Hacked.

The Forensicator’s first report went viral and has been covered widely by the legacy media, in alternative media, and in various social media venues. Of particular note, a well-respected group of former US security professionals (the VIPS) published an article a few weeks later (July 24, 2017) in Consortium News, titled Intel Vets Challenge ‘Russia Hack’ Evidence. The VIPS report was subsequently mentioned in an article published in The Nation, authored by Patrick Lawrence; that article (dated August 9, 2017) was titled A New Report Raises Big Questions About Last Year’s DNC Hack. Lawrence’s article generated a lot of controversy which The Nation addressed in a follow up article (September 1, 2017) titled, A Leak or a Hack? A Forum on the VIPS Memo. Recently (August 13, 2018), Patrick Lawrence published a one year retrospective, titled, ‘Too Big to Fail’: Russia-gate One Year After VIPS Showed a Leak, Not a Hack [Consortium News].

A journalist/blogger who goes by the pen name Adam Carter (@with_integrity on Twitter) runs a web site, g-2.space, which follows research related to the anonymous persona Guccifer 2. Guccifer 2 has been linked to Russia’s GRU spy agency by US intelligence agencies and was highlighted more recently (July 13, 2018) in a DOJ indictment.

It seems that Carter may have unknowingly locked horns with Duncan Campbell in November, 2017 when Carter published an article critical of Campbell’s reporting . Campbell co-authored an article with James Risen that was published in the Intercept under the title CIA Director Met Advocate of Disputed DNC Hack Theory — at Trump’s Request. A month/so later, Campbell would begin a nine month quest to strip Carter’s anonymity.

Although the majority of Campbell’s article dwells on Carter’s background, there is some discussion of Forensicator’s research. It seems that Campbell wanted to weave Carter and Forensicator into an elaborate pro-Kremlin plot to spread disinformation. Campbell tells us that an objective of this plot was to seed conspiracy theories that linked a particular document dump published by Guccifer 2 with a DNC staffer who met an untimely death on July 10, 2016. Campbell speculates that Guccifer 2 “manipulated” and “tampered” with the data to achieve this desired effect.

Campbell further suggests (without support) that Forensicator might be a persona invented by Carter and that Carter and Forensicator went into action when they received a “tip-off file” (a Word document) from an unnamed third party that Campbell implies might be pro-Kremlin; perhaps linked to a Russian spy agency (the GRU).

Forensicator notes that this “tip-off file” is a publicly accessible document found on Carter’s web site. It is clearly labeled as being for “technical review only”. Forensicator and Carter both recall that this document was intended for technical review by a qualified independent third party. Forensicator also points out that a clearly labeled publicly accessible document is an unlikely form of covert communication from a state-sponsored intelligence organization.

A quick comparison between this “tip-off file” and Forensicator’s final report shows us that this Word document is a working draft of the final report. Campbell’s claim that neither Forensicator nor Carter wrote this document themselves is based upon the presence of a simple typo in a command line script found in Forensicator’s final blog.

In the discussion that follows, Forensicator goes to some trouble to demonstrate how that typo ended up in Forensicator’s blog. It was a simple copy/paste error that had nothing to do with Forensicator’s alleged lack of technical skills.

Further, although Campbell suggests that Forensicator enhanced this “tip-off file” for “propaganda effect”, Forensicator demonstrates that as he continued to work on his final report, he in fact removed and changed text that might have been much more suggestive of an internal DNC leak. Forensicator’s final report had a much lower “propaganda effect” than the draft document that Campbell calls the “tip-off file”. Campbell’s claim is without merit.

Campbell tells us that a key component in the “Forensicator Fraud” was Guccifer 2’s decision to use an outdated version of a file archiving program, WinRAR. It was the interaction between an outdated WinRAR zip file format and another zip file format (7zip) that led to Forensicator’s observation that the files in Guccifer 2’s final 7zip file had been written on the East Coast.

Forensicator tells us that hackers generally use cracked software and that these cracked programs are generally old and out-of-date. In fact, there are indications in another document that Guccifer 2 published that showed that a cracked version of Office 2007 had been used (which is over 10 years old). Guccifer 2’s decision to use an old cracked version of WinRAR was likely not a deliberate decision but rather a result of typical hacker behavior. We do not know if Guccifer 2 is an actual hacker or not, but he generally acted like one.

Campbell’s conspiracy theory falls flat after Forensicator strips away the “tip-off file”, the typo in a command line, the use of an outdated version of WinRAR, and the alleged “propaganda effect”.

In a closing section, Forensicator addresses Campbell’s criticism of another report authored by Forensicator, Guccifer 2.0 CF Files Metadata Analysis. Campbell takes exception with Forensicator’s conclusion, but can offer no counter-explanation other than Guccifer 2 must have “tampered” with the dates by subtracting one hour from them. Campbell has no explanation for why Guccifer 2 would decide to tamper with the file dates in this way.

Forensicator points out that for the other Zip file that Forensicator analyzed Campbell took the opposite position that Guccifer 2 manipulated the metadata in a very specific and obscure fashion with a particular objective in mind. Further, Campbell leaves out an important observation: The files were likely first written to a thumb drive. Forensicator’s scenario incorporates that observation, Campbell ignores it altogether.

The Tip-off File

As Campbell relates events, in early June, 2017 an “anonymous source” (presumably GRU operatives behind Guccifer 2) sent a “tip-off file” [archive] to Adam Carter. This tip-off file is a Word document which appears to be a rough draft of Forensicator’s final report, Guccifer 2.0 NGP/VAN Metadata Analysis, published a few weeks later. The “tip-off file” is found on Adam’s site, g-2.space. Per Campbell, this document was “rewritten for propaganda effect, [and] was published three weeks later [by the Forensicator]”.

The “tip-off file” was (and is) linked from this page [archive] on Carter’s web site.

That page is easy to find. Forensicator just removed one level of directory from the link to the document that Campbell provided and found the page above. In fact, that page can be located via a web search (emphasis added below). It is publicly accessible. How did Campbell and his technical team miss this?

Did Campbell notice this landing page that says the document is provided “for the purposes of technical review” and simply not mention it? Campbell’s phrasing, ‘a tip-off file obtained in June 2017 by Leonard’s site from an “anonymous source”’, sounds very much like he was aware of this page on Adam’s site that says the document is from “anonymous source #3”.

We will come back to this page and the “tip-off file” and discuss them in a bit more detail. In the meantime, we ask, does this look like a clandestine communication from a GRU operative? Why is it publicly accessible?

Spoiler alert: What if the “anonymous source #3” is the Forensicator and this document was intended for review by an independent third party, prior to publication?

Campbell says this about the “tip-off file”.

What Campbell is talking about here is that Forensicator analyzed metadata (file dates, times, and sizes) in a 7zip file that Guccifer 2 had uploaded almost a year earlier. Forensicator’s analysis “unlock[ed] information inside a tranche of files [a 7zip file] released by Guccifer 2.0”. Campbell suggests, but does not clearly state, that the Russian operatives behind Guccifer 2 had cleverly “manipulated [the metadata] to “prove” that the documents could have been stolen by a Democratic National Committee (DNC) employee.”

Before we go on: Forensicator made no claims about “leak vs. hack”, nor the actual source of the data that Guccifer 2 alleged had been taken from the DNC. Forensicator clearly states this in Corrections and Clarifications.

The Forensicator Appears

Per Campbell, a short time later, a team of unidentified individuals (presumably Russian GRU operatives behind Guccifer 2), along with Adam Carter, “created” Forensicator. Campbell is indefinite on what he means by “created”, but he seems to suggest that Forensicator is simply an anonymous online persona that Adam created out of whole cloth who continues to operate to this day; in fact, right now, as Forensicator types this article.

As Campbell relates the story, we know that Forensicator is an unskilled fake because these presumptive GRU agents sent along a bash script that had invalid syntax and Forensicator did not notice this before copying their broken script into his report. The implication here is that the GRU agents did all of Forensicator’s homework and Forensicator was too careless and unskilled to spot an error that they had made. Keep that thought; we will get back to this bit of wild speculation.

The Forensicator Fraud?

Campbell’s conspiracy thriller begins here.

Campbell is indefinite on what he means when he refers to the “Forensicator [‘s] fraud”. Campbell’s fraud theory seems to hinge on the idea that Guccifer 2.0 (a team of presumptive GRU agents) had carefully “manipulated” metadata (mainly last modification timestamps within a particular arrangement of differing Zip file formats). This was in preparation for the Forensicator, who would come along (as planned) ten (10) months later and then pretend to discover some unique clues in the metadata.

Presumably, the fraud here is that Forensicator (maybe really Adam, per Campbell) was lying in wait for the day that he would get the “go” signal in the form a Word document that Campbell calls the “tip-off file”. As part of the operation, Forensicator posed as an independent analyst with some forensics skills, pretending to make a discovery that had been missed by others (for 10 months!) until the planned date of publication. All Forensicator had to do is to take this draft report (the “tip-off file”) that his controllers had sent him and spice it up “for propaganda effect” [Campbell].

Unfortunately, Forensicator (per Campbell) didn’t notice a typo in a bash script — this will be Forensicator’s undoing (not).

The Bourne (Shell) Conspiracy

Let’s return to Campbell’s “proof” that the Forensicator is a creation of the GRU and a dull tool. Recall that, per Campbell, the presence of a syntax error in a bash script that Forensicator posted “suggested that they did not write, understand, or test the script before they published. Someone else had sent the script, together with the fake conclusion they wanted discovered […].”

Before we dive in, the next few sections will add background.

B*A*S*H

Campbell refers to a “bash script”. Bash is a command interpreter much like the Windows command line, except more powerful. It originated on UNIX systems. “Bash” is short for “Bourne-again shell” [Wikipedia]. Excerpts follow.

Paging Jane Doe

Campbell’s mention of the malformed bash script is reminiscent of a similar observation [archive] made (much earlier) by an anon blogger, Jane Doe.

As we can see below (emphasis added), Jane is no friend of the Forensicator.

Ms. Doe’s conclusions and observations (published a year earlier) are eerily similar to those of Mr. Campbell. Did Doe’s report inspire Campbell’s discovery? Was Campbell aware of Ms. Doe’s analysis, yet failed to give her credit?

Rushin’ to be Russian

Ms. Doe’s introduction refers to “error messages in Russian”. These Russian error messages (written in Cyrillic) were found near the end of PDF’s published by journalists the same day (June 15, 2016) that Guccifer 2 appeared. The PDF’s were derived from Guccifer 2’s very first document, the so-called “Trump opposition report”. Guccifer 2 leaked this document to The Smoking Gun and Gawker prior to publishing this document and others on his blog site.

Forensicator analyzed those documents in detail in Did Guccifer 2 Plant his Russian Fingerprints?. Forensicator also demonstrated that media outlets played a critical role in propagating the “Russian fingerprint” discovery; this is covered in Media Mishaps: Early Guccifer 2 Coverage.

Forensicator’s conclusion on Guccifer 2’s “Russian fingerprints” strongly differs from that of Ms. Doe. Forensicator concludes that the process which embedded those Russian error messages into Guccifer 2’s document is far too complex to have been the result of carelessness, or an accident. The evidence strongly suggests that Guccifer 2 planted the “Russian fingerprints” deliberately. Guccifer 2’s motive for doing so is unclear (because the “Russian fingerprints” are self-incriminating; they loudly suggest that Guccifer 2 might be a Russian operative).

Never Assume a Conspiracy as the Reason when a Simple Typo will do

Hanlon’s Razor is more direct: “Never attribute to malice that which is adequately explained by stupidity.”

With the preliminaries out of the way, let’s address the body of Campbell’s claim. Campbell asserts that the Forensicator did not write the script that was posted, because it has a garbled presentation. Further (per Campbell), since Forensicator did not write the script then “someone else had sent this script“. Campbell refers to this insert in the Guccifer 2.0 NGP/VAN Metadata Analysis report.

Let’s copy this out into a text file and see how it looks.

An astute bash programmer will notice that line 6 seems to be a very long line with unusual spacing and a misplaced line continuation (“\”) character. What happened here is that newlines were removed by WordPress when the text was pasted into a text box.

Does this tell us that the Forensicator doesn’t know how to write a bash script, or more likely, that Forensicator is a careless user of WordPress.com? We can find the answer by turning to the draft Word document that Campbell calls the “tip-off file”.

It looks fine here and in fact bash will accept this and run it without complaint.

The history on this is that Forensicator’s blog is based on a free WordPress.com account. Free WordPress.com accounts are bare bones and lack some writer friendly features. Add to this set of circumstances that this blog is the Forensicator’s first ever blog and we have a recipe for disaster.

Initially, Forensicator pasted the script directly into the blog, but that didn’t work well because Forensicator couldn’t find a way to coax WordPress.com into interpreting the script as simple, unformatted text. Forensicator decided to solve the problem with the use of a “text box”; he pasted the bash script into a text box without checking the result. This led to the current situation where the line wrapping and formatting is wrong.

Forensicator notes that there have been a few sporadic reports of problems with the syntax of this text insert, but users were able to quickly fix the issue and use the script. As we saw, Jane Doe wasn’t too happy when she ran into this glitch, but was able to fix it and ultimately replicate the Forensicator’s results.

There is no bash script conspiracy. Forensicator wrote the script, but messed up the formatting when the text was copied into a text box. Forensicator should probably fix this issue; he had no idea that this glitch would be used as “proof” to allege that the Forensicator is a GRU operative.

A simple formatting error in a bash script is not evidence or proof that Forensicator is an apparatchik of the GRU.

The Tip-off File: A Draft Review Document

Campbell asserts that a publicly accessible Word document found on Carter’s web site is a “tip-off file”; Campbell implies that it may have been sent from a nefarious Russian agent. This claim is made without evidence or rationale. No explanation is given on how and why a document passed from a covert source would end up on a publicly accessible web page on Adam’s site.

Recall that this document is linked from a page which says that the document is for “technical review only”. It cautions the recipient not to disclose this document to “3rd parties.” Why? Because this is a pre-publication draft report, intended for internal review. This is all counter to Campbell’s conspiracy theory. Did he and his technical team ignore this evidence, which is at odds with their theory, or were they simply unaware of it?

When Forensicator first discovered the unique metadata properties in Guccifer 2’s ngpvan 7zip file, he shared his observations with Adam Carter, because Carter seemed to be the only researcher out there looking into Guccifer 2’s activities, using publicly available data. Adam in turn referred Forensicator to Elizabeth Vos of Disobedient Media, whom Adam had worked with previously.

Forensicator recommended to both Adam and Ms. Vos that his report be vetted by an independent technical reviewer, prior to publication. Forensicator made this recommendation both because he wanted confirmation of his methods and conclusions and also he realized that as an anon it is only reasonable for people to be skeptical of his work. This “tip-off file (authored by Forensicator) was intended for independent pre-publication review.

Carter is hazy on the details of why this “tip-off file” still remains on his g-2.space site. Given that the final report has long been published and reviewed by many, there is nothing inherently wrong with this draft being there. However, its presence led Campbell to build an entire conspiracy theory around this draft review document. Campbell’s misunderstanding could have been cleared up if he had asked Carter about the document, but it seems that Campbell felt it was a smoking gun that he would later use as the basis of a “scoop” in his article.

There is no “tip-off file” conspiracy. The Word document that Campbell concludes must have been given to Forensicator via a nefarious Russian third party is instead what it appears to be: an early draft, written by Forensicator. It is a work-in-progress draft of the final report. This draft is publicly accessible on Carter’s web site. The final version was published on Forensicator’s WordPress blog. The draft document was intended for internal review by a qualified third party; it is not a “tip-off file”.

Propaganda Effect

Let’s return to what Campbell had to say about the “tip-off file” (emphasis added).

Campbell suggests that Forensicator took a document (the “tip-off file”) that (per Campbell) may have originated with some unnamed and unidentified GRU agents. Forensicator, Campbell claims, spiced up the document for “propaganda effect” and subsequently published the result of his creative endeavor.

Let’s have a look at the first page from the original “tip-off file” (emphasis added).

Per Campbell’s theory, Forensicator did not write his own report; rather, it was given to Forensicator by some unnamed (pro-Kremlin) third party. Further, Forensicator might not in fact be a real person, but rather a persona created by Adam Carter. Campbell’s most damning claim: Forensicator has shown low technical skills because he did not fix a bash script that was mangled when pasted into a text box on his blog site. Given all this, Campbell tells us that the only thing that Forensicator is capable of doing with this document is to “[rewrite it] for propaganda effect“.

Above, highlighted in yellow, are phrases that were changed or removed when going from this working draft on Carter’s site to the final report on Forensicator’s blog, summarized below.

There were many references to “DNC files” which were subsequently removed or summarized as “(alleged) DNC files”. Initially, Forensicator took Guccifer 2 at his word that the files disclosed were from the DNC, presumably recently. Upon closer inspection, Forensicator reached the same conclusion as Campbell, “[…] they were all stale, deadwood information, and of no relevance in 2016. All had been completed and closed before the previous presidential election in 2012.” On that basis, Forensicator removed the direct references to “DNC files”.

When Forensicator initially reviewed the ngpvan.7z metadata, he saw a “Unix-like” file copy pattern for the files copied on 7/5/2016. He saw that there were gaps in the copying timeline and that estimated transfer speeds indicated local copying. Forensicator’s first working theory was that the time gaps might be explained by “think time”; Forensicator mentions this in his report along with the fact that the “think time” hypothesis was eventually discarded.

Forensicator went with the idea that Guccifer 2 was selecting his files for the ngpvan 7zip archive from a much larger (perhaps 10x larger) collection of data that had been taken.

Eventually, Forensicator’s decision to abandon the “think time” theory was vindicated by his study of another Zip file in Guccifer 2.0 CF Files Metadata Analysis. When the “think time” theory was dropped, the idea of accessing the files interactively via a VPN running something like MacOS was also dropped.

There is no “propaganda effect” conspiracy. Many of the changes made when going from the draft to the final report lowered its “propaganda effect”. For example, the highlighted changes removed direct implications of “leak versus hack”, which would have had a much higher propaganda effect – if Forensicator’s goal was to stir the conspiracy pot.

WinRAR: Hackers Don’t Pay Retail

In Guccifer 2.0 NGP/VAN Metadata Analysis Forensicator noticed that the ngpvan 7zip file contained several RAR files. The RAR files were recorded in an older (version 4) format, which became key to determining that the files were likely written on the East Coast. Forensicator took the position that this obscure relationship between differing Zip file formats ruled out the idea that Guccifer 2 wanted researchers to discover this key finding. Thus, Forensicator concludes that Guccifer 2 did not plant this East Coast indication.

Campbell differs and says this was in fact Guccifer 2’s intent and Forensicator was “created” to discover and publish this obscure finding – with a plan to spread disinformation by fueling conspiracy theories. Here is what Campbell said (emphasis added).

Campbell tells us that the Russian operatives behind Guccifer 2 deliberately chose an outdated version of WinRAR in order to work their magic.

As a practical matter, hackers and spies do not typically buy retail software. We saw the use of cracked software in Did Guccifer 2 Plant his Russian Fingerprints? where one of the Word documents doctored by Guccifer 2 showed Grizli777 as the Company name in its metadata. One researcher [@_fl01] was quick to notice this.

It is unsurprising that Guccifer 2 would choose an old version of WinRAR, given his use of other cracked software and his hacker-like behavior. Campbell’s conspiracy theory hinges on the assumption that Guccifer 2 deliberately chose this old version of WinRAR to establish the metadata pattern that would later be discovered by the Forensicator (per plan, as Campbell speculates).

Campbell questions Guccifer 2’s choice of both WinRAR and 7zip. Interestingly, both programs are authored by Russian software developers. For some researchers and analysts, this lineage might be seen as another “Russian fingerprint”. The planting of “fingerprints” like this is consistent with Guccifer 2’s overall behavior.

Per Campbell, the Russians deliberately planned for the East Coast file copying finding to be discovered in combination with the last written dates of 7/5/2016. This discovery would (per plan) feed a conspiracy theory where this batch of files would be linked to a DNC employee (who was killed five days later on 7/10/2016).

Forensicator questions the validity of Campbell’s theory, noting that the files chosen had a dubious link to the DNC. Further, if disclosure of Forensicator’s analysis was the plan, why wasn’t this discovery published in a more timely fashion? Forensicator made his discovery almost a year after Guccifer 2 dumped the ngpvan Zip file. Forensicator’s discovery would have had a much higher impact if it came out before the 2016 election.

Mueller’s indictment tells us that gigabytes of DNC data were taken (by the GRU operatives who were also behind Guccifer 2) in late April, 2016 (emphasis added).

With all that relevant, current, DNC data to choose from why did Guccifer 2 select files that were in Campbell’s words, “stale, deadwood information, and of no relevance in 2016?” It is unlikely that a DNC employee would take the risk to leak those irrelevant DNC files.

A question for Campbell to consider: Why did Guccifer 2 uniformly leak harmless, innocuous data when (per the DOJ indictment) there were gigabytes of current, potentially damaging, data to choose from?

There is no WinRAR conspiracy. Guccifer 2’s choice of an old version of WinRAR was typical hacker behavior. Guccifer 2 likely used an old cracked version of WinRAR, because that is what hackers (or wannabe hackers) do. This old version of WinRAR was not deliberately chosen to advance the GRU’s devious plan, as Campbell would like us to believe.

Why do Hackers, Leakers, and Spies Use Thumb Drives?

Forensicator studied the metadata of two Zip files that Guccifer released: ngpvan.7z and cf.7z. In both cases, there were indications that the files in those Zip files had been first copied to a thumb drive. This is noteworthy, because a thumb drive must be physically inserted into a computer and then removed by someone who is on site (in order to access the data at a later time).

In the case of the ngpvan.7z Zip file, there is evidence that the files in that archive were written on the East Coast. For cf.7z, a scenario exists where its component files were first written to a thumb drive in the Central Time Zone and then later the final archive was built on the East Coast.

Hackers, leakers, spies, and workers in a secure setting often use removable media such as thumb drives to “air-gap” a copy operation. In Guccifer 2’s case, the motive may have been to avoid detection (which might result if the data were transferred over the Internet).

Guccifer 2 Ate My Homework

Campbell criticizes another report authored by Forensicator, Guccifer 2.0 CF Files Metadata Analysis. That report analyzed the metadata in a large Zip file that Guccifer dumped in October, 2016 (a month after the ngpvan Zip file). It goes by the name cf.7z because Guccifer 2 tried to convince us that the files were taken from the Clinton Foundation (hence, cf). In fact, much of the data came from the DCCC; some of this DCCC data was quite current (with indications that it may have been taken as late as June, 2016).

Forensicator noticed that there were files dated 7/5/2016, which is the same date as found in the ngpvan.7z Zip file (the data that we have discussed so far). The times in cf.7z appeared to be one hour earlier than those in ngpvan.7z. Of interest to the Forensicator was that after advancing the cf.7z times by one hour, the files filled in time gaps in the ngpvan.7z files. This is illustrated in the chart below.

Above, the files in light blue are new files that are in cf.7z; the light green files are from the ngpvan.7z Zip file. After adding +1 hour to the last modified time of the cf.7z files, we see that they fit like a glove.

This was an important finding, because as you may recall, Forensicator’s “think time” theory (used to explain the gaps in the ngpvan.7z timeline) had been discarded in favor of the idea that the files had been selected from a much (10x) larger collection of files. The presence of additional 7/5/2016 dated files found in cf.7z supports Forensicator’s decision to drop the “think time” theory (lowering the “propaganda effect” of the final report).

Why are the cf.7z files one hour behind the ngpvan.7z files? Forensicator offered a possible scenario: The file data originated in the Central Time Zone, where it was copied to a thumb drive. This thumb drive was then transported to the East Coast, where the final cf.7z file was built. Campbell dismisses this idea out of hand. Below, are quips from Campbell’s article (emphasis added).

In response to Forensicator’s proposed scenario, Campbell suggests that Guccifer 2 decremented the hour value on those files for no apparent reason. Further, Campbell ignores Forensicator’s observation that all the files in the cf.7z Zip file were likely first copied to a thumb drive. Forensicator includes this observation in his scenario, while Campbell quietly ignores this important fact.

If Forensicator’s theory holds, it shows that those files were copied (by a person who was physically present) within the confines of the US (in this case the Central Time Zone). Further, the final 7zip file was likely built on the East Coast. It is those conclusions that probably make Campbell uncomfortable — they run counter to his well spun conspiracy theory.

Forensicator accepts that “tampering” is always a possibility when evaluating file metadata. Before reaching such a conclusion, Forensicator looks for obvious inconsistencies, lack of correlation with other data, or a possible motive for tampering with the data. In this case, simply decrementing the hour value serves no purpose. Therefore, Forensicator looked for (and described) an alternative scenario. Campbell provides us with no explanation as to why Guccifer 2 would want to tweak the hour value for this group of files.

Surprisingly, Campbell subscribes to the theory that for this set of files Guccifer 2 tampered with the dates for no stated purpose. Yet, for the ngpvan.7z files ( Campbell tells us) Guccifer 2 showed great care, skill, and planning to arrange the metadata in a way that it would lead to the conclusion that the files were leaked by an ill-fated DNC employee.

Campbell’s explain-it-away “tampering” claim is equivalent to the excuse, “Guccifer 2 ate my homework.” Campbell provides no rationale on why Guccifer 2 decremented the hour value in the cf.7z files and seems to choose this explanation simply because he dismisses Forensicator’s scenario and can find no other suitable alternative. Forensicator incorporates the likely use of a thumb drive into his proposed scenario; Campbell leaves out this important finding.

Summary

Forensicator’s conclusions are summarized in the table below.

Closing Thought

Scottish Proverbs (James Kelly, 1771)