Forensicator: Guccifer 2.0’s Russian Breadcrumbs

Editorial note: Forensicator recently published a report titled Guccifer 2’s Russian Breadcrumbs, digging out many new metadata clues found in the documents that Guccifer 2.0 modified before publishing them on their WordPress blog. That report builds on Forensicator’s previous work, which detailed the complex process that Guccifer 2.0 likely used to plant “Russian fingerprints” in the Trump opposition report that Guccifer 2.0 pre-disclosed to two legacy media outlets and later published.

Below, with permission from the author, we reproduce excerpted portions of the Forensicator’s latest report.


In this report, Forensicator analyzes metadata left in the various documents that Guccifer 2 modified and then published on his WordPress blog.  Some new discoveries are made, some revisited.  Forensicator concludes that Guccifer 2’s consistent intent was to plant clues which connected Guccifer 2 to Russia.  Except for one head fake, when Guccifer 2 was Romanian for a day.

This report builds on two previous articles: Did Guccifer 2 Plant his Russian Fingerprints? and Media Mishaps: Early Guccifer 2 Coverage.  In those reports we analyze Guccifer 2’s first batch of documents that were published on his WordPress blog.  We demonstrate that Guccifer 2 likely planted his “Russian fingerprints” into those documents.  Those “Russian fingerprints” were widely covered by mainstream media and provided circumstantial support for the idea that Guccifer 2 was in fact a Russian operative (or a team of operatives), in spite of his rather clumsy attempts to cover his tracks.

The Guccifer 2 Narrative

In this report, we take the position that most of Guccifer 2’s metadata modifications were deliberate.  Our position is at odds with mainstream media’s recital of events.

The MSM narrative, as best we understand it, is that Guccifer 2 initially slipped up — disclosing documents that were last saved using a user id written in Cyrillic; that user id made reference to a famous Russian spy chief.

Further, Guccifer 2’s first document, which he shared with two media outlets had Russian error messages embedded in the PDF’s that those media outlets published.  These error messages became known as Guccifer 2’s “Russian fingerprints”, presumably left behind by accident.  In Did Guccifer 2 Plant his Russian Fingerprints? we demonstrate that the process which Guccifer 2 likely used to plant those Russian error message was complex and deliberate.

An important point to make here is that Guccifer 2 modified 36 documents, published in several batches, and several of the batches have metadata that can be linked to Russia.  Guccifer 2 often made minimal changes to a document apparently with no rhyme or reason; yet, Russian indications were often the only tangible result that those changes had in common.  Guccifer 2 explained away his document tweaks as simply a result of his desire to plant his hacker “water mark” (signature).  The media accepted this explanation and viewed it as a clumsy (and obvious) effort to cover his initial (alleged) mistakes.  We have a different opinion.  We think that Guccifer 2’s main intent was to implant metadata that implicates Russia.

A point that is often lost in the flurry of details swirling around Guccifer 2 is that a metadata change will only “stick” if something in the document is modified and then that document is saved.  This fact explains Guccifer 2’s tendency to make minimal changes to the documents that he tweaked.  For the documents that we can compare to attachments in Wikileaks emails, we see that Guccifer 2 often just added some white space, modified a header/footer, and so on.  In a typical scenario, these small changes were enough to convince the application (e.g., Microsoft Word) to record the “last saved by” user id (Guccifer 2’s “water mark”) and to record the current language setting in each modified document’s metadata.  Although the media outlets focused on Guccifer 2’s quirky user id’s, we think that the real goal was to plant more meaningful metadata.

Is Guccifer 2 Clumsy or Cunning?

In an article that came out in Motherboard (on June 16, 2016) a day after Guccifer 2 first appeared, ‘Guccifer 2.0’ Is Likely a Russian Government Attempt to Cover Up Its Own Hack [archive], Lorenzo Franceschi-Bicchierai (@lorenzofb) summarizes the circumstantial evidence that linked Guccifer 2 to Russia and Russia to the Trump campaign.  Motherboard will later interview Guccifer 2 and continue to cover his activities extensively.

The Motherboard article raises the question that we keep banging into as we analyze Guccifer 2’s long trail of breadcrumbs (emphasis added).

Could all these breadcrumbs have been left on purpose? Of course, but then the explanation would be that someone has done an awful lot of work to leave evidence pointing to Russia in a blog post where he or she was claiming to have nothing to do with Russia.

As we have shown in our previous reports (and this one), Guccifer 2 did indeed make a concerted effort to strew breadcrumbs that linked his activities to Russia.  In fact, the clues listed in the Motherboard article will prove to be just the tip of the iceberg.

Yet, in just one day, on the basis of flimsy evidence (such as Guccifer 2’s use of a “Russian smiley” in his blog post), the media was quick to conclude that Guccifer 2 was a team of Russian spies.

“Given the evidence in the docs only, it’s a weak attribution to a group in Russia,” Pwn All The Things [Matt Tait] told Motherboard in an online chat. “Given the evidence combined with everything else, I think it’s a strong attribution to one of the Russian intelligence agencies.”

Guccifer 2’s Metadata Mosaic

The following table summarizes all the metadata indications that we have found (to date) in the 36 files that Guccifer tweaked.  Times shown are in GMT.  The email screenshots (.png files) reflect the time that they were uploaded to Guccifer 2’s blog.


Above, we see five (5) batches of documents that Guccifer 2 either modified (Word documents and spreadsheets) or created (email screen shots).  The “RU” entries that are in light red and the timezone offsets of GMT+3 and GMT+4 in bright red can be clearly identified as indications of possible Russian origin.

The GMT-4 (US EDT) timezone offset is found in a batch of documents that were edited with LibreOffice that were published on July 6, 2016.  Originally, our research indicated that those documents were written on a system with a GMT+4 timezone offset setting, but our interpretation was in error. We failed to notice that LibreOffice misreports the last saved time as GMT time, when in fact it is local time.  A fellow researcher, Stephen McIntyre spotted the error and we have updated this report accordingly.  We discuss the implications of this EDT finding in a following section.

The batch of Word files dated June 30, 2016 all have Romanian (“RO”) language settings (in light orange).  This has gone unnoticed in mainstream reporting.  Recently, an anonymous blogger (Winston Smith) noticed this setting, but not in the broader context shown above.  We discuss Smith’s findings in a following section.

The entries marked “EN” (in light blue) indicate English language settings.  There are some entries for spreadsheets (.xlsx) that have English language indications, yet other spreadsheets have Russian indications.  The batch of files dated July 6, 2016 are a special case; they were all written with LibreOffice. The version of LibreOffice that Guccifer 2 used indicates that it may have been installed recently and there may have been unnoticed installation issues, where the chosen language defaulted to US English.  The combination of English language settings and a timezone offset of GMT-4 is surprising given the overall metadata picture.

Below, is an overview graphic with some of the detail above left out.


At first, this looks like a mixed picture.  However, if we view the light red, dark red blocks as being indicative of Russian origin then there were Russian attributions in several batches of files that Guccifer 2 published.  Mainstream media focused on the first batch (notably the “Russian fingerprints” in the Trump opposition report).  Media noticed Guccifer 2’s use of additional “watermarks” (unusual user names), but this was generally explained as a cover used to obscure Guccifer 2’s original choice of the very Russian “Феликс Эдмундович” (Felix Edmundovich) reference.

We explain in a later section that there is a scenario where the GMT-7 timezone offsets can be viewed as indications of Russian origin.  That scenario is based on the assumption that Guccifer 2 made a particular mistake when saving those files.

In subsequent sections, we will also discuss some of the anomalous results.

Guccifer 2 Returns to the East Coast

The Eastern timezone setting found in Guccifer 2’s documents published on July 6, 2016 is significant, because as we showed in Guccifer 2.0 NGP/Van Metadata Analysis, Guccifer 2 was likely on the East Coast the previous day, when he collected the DNC-related files that ended up in the ngpvan.7z Zip file.  Also, recall that Guccifer 2 was likely on the East Coast a couple of months later on September 1, 2016 when he built the final ngpvan.7z file.

We believe that in both cases Guccifer 2 was unlikely to anticipate that this Eastern timezone setting could be derived from the metadata of the documents that he published.  However, one vocal critic with significant media reach objected to our East Coast finding as it related to our analysis of the ngpvan.7z file.  This critic concluded instead that Guccifer 2 deliberately planted that clue to implicate a DNC worker who would die under suspicious circumstances a few days later on July 10, 2016.

Further, this critic accused the Forensicator (and Adam Carter) of using this finding to amplify the impact of Forensicator’s report in an effort to spread disinformation.  This same critic implied that Forensicator’s report was supplied by Russian operatives via a so-called “tip-off file.”  The Forensicator addresses those baseless criticisms and accusations in The Campbell Conspiracy.

Now, we have this additional East Coast indication, which appears just one day after the ngpvan.7z files were collected (which we conclude were likely collected on the East Coast).  This new East Coast indication is found in a completely different group of files that Guccifer 2 published on his blog site.  Further, this East Coast finding has its own unique and equally unlikely method of derivation.

If we apply our critic’s logic, what do we now conclude?  That Guccifer 2 also deliberately planted this new East Coast indication?  To what end?

We wonder: Will this new evidence compel our out-spoken critic to retract his unsubstantiated claims and accusations?

[Editor: In the rest of Forensicator’s lengthy report are details which describe the derivation of the newly discovered metadata.  Below, we excerpt the disclaimer and closing thoughts.]


This report describes numerous examples of metadata found in documents that Guccifer 2 modified, where the metadata values can be linked to Russia.  We call these values – “Russian breadcrumbs”.  The presence of these breadcrumbs might seem at odds with the DOJ indictments of alleged Russian GRU hackers, because we are left wondering why would Guccifer 2 leave such an obvious trail to Russia?  One explanation that has been given is that the Guccifer 2 team was in a hurry and careless.  Another reason might be that the GRU agents wanted to make their presence known and were sending some sort of message.  We take no position on those theories and rationales, but simply offer our interpretation of the facts at hand.

Also, to the degree that some theories that we develop might suggest that Guccifer 2 had team members or help inside the US, we emphasize that our theories should be considered hypothetical.  We note that the DOJ indictments are not obligated to list all the facts in a case; there might be other information that hasn’t been disclosed publicly that would invalidate our theories or interpretations of the facts.

Closing Thoughts