Guccifer 2.0's American Fingerprints Reveal An Operation Made In The USA

Authored by Elizabeth Lea Vos via Disobedient Media,

In his final report in a three-part series, Guccifer 2’s West Coast Fingerprint, the Forensicator discovers evidence that at least one operator behind the Guccifer 2.0 persona worked from the West Coast of the United States.

The Forensicator’s earlier findings stated that Guccifer 2.0’s NGP-VAN files were accessed locally on the East Coast, and in another analysis they suggested that a file published by Guccifer 2.0 was created in the Central time zone of the United States. Most recently, a former DNC official refuted the DNC’s initial allegations that Trump opposition files had been ex-filtrated from the DNC by Russian state-sponsored operatives.

So, if Guccifer 2.0’s role was negated by the statements of the DNC’s own former “official” in a 2017 report by the Associated Press, why do we now return our attention to the Guccifer 2.0 persona, as we reflect on the last section of new findings from the Forensicator?

The answer: Despite almost two years having passed since the appearance of the Guccifer 2.0 persona, legacy media is still trotting out the shambling corpse of Guccifer 2.0 to revive the legitimacy of the Russian hacking narrative. In other words, it is necessary to hammer the final nail into the coffin of the Guccifer 2.0 persona.

As previously noted, In his final report in a three-part series, the Forensicator discusses concrete evidence that at least one operator behind the Guccifer 2.0 persona worked from the West Coast of the United States. He writes:

“Finally, we look at one particular Word document that Guccifer 2 uploaded, which had “track changes” enabled. From the tracking metadata we deduce the timezone offset in effect when Guccifer 2 made that change — we reach a surprising conclusion: The document was likely saved by Guccifer 2 on the West Coast, US.”

The Forensicator spends the first part of his report evaluating indications that Guccifer 2.0 may have operated out of Russia. Ultimately, the Forensicator discards those tentative results. He emphatically notes:

“The PDT finding draws into question the premise that Guccifer 2 was operating out of Russia, or any other region that would have had GMT+3 timezone offsets in force. Essentially, the Pacific Timezone finding invalidates the GMT+3 timezone findings previously described.”

The Forensicator’s new West Coast finding is not the first evidence to indicate that operators behind the Guccifer 2.0 persona were based in the US. Nine months ago, Disobedient Media, reported on the Forensicator’s analysis, which showed (among other things) that Guccifer 2.0’s “ngpvan” archive was created on the East Coast. While that report received the vast majority of attention from the public and legacy media, Disobedient Media later reported on another analysis done by the Forensicator, which found that a file published by Guccifer 2.0 (on a different occasion) was probably created in the Central Timezone of the US.

Adding to all of this, UK based analyst and independent journalist Adam Carter presented his own analysis which also showed that the Guccifer 2.0 Twitter persona interacted on a schedule which was best explained by having been based within the United States.

The chart above shows a box which spans regular working hours. It indicates that unless Guccifer 2.0 worked the night shift, they were likely working out of the US. Though this last data point is circumstantial, it is corroborated by the previously discussed pieces of independently verifiable hard evidence described by the Forensicator.

When taking all of these separate pieces into account, one observes a convergence of evidence that multiple US-based operators were behind the Guccifer 2.0 persona and its publications. This is incredibly significant because it is based on multiple pieces of concrete data; it does not rely on “anonymous sources within the government,” nor contractors hired by the DNC. As a result, much of the prior legacy press coverage of Guccifer 2.0 as a Russia-based agent can be readily debunked.

Such tangible evidence stands in contrast to the claims made in a recently published Daily Beast article, which reads more like a gossip column than serious journalism. In the Daily Beast’s recital, the outlet cites an anonymous source who claims that a Moscow-based GRU agent was behind the Guccifer 2.0 operation, writing:

“Guccifer 2.0, the “lone hacker” who took credit for providing WikiLeaks with stolen emails from the Democratic National Committee, was in fact an officer of Russia’s military intelligence directorate (GRU), The Daily Beast has learned. It’s an attribution that resulted from a fleeting but critical slip-up in GRU tradecraft.

… But on one occasion, The Daily Beast has learned, Guccifer failed to activate the VPN client before logging on. As a result, he left a real, Moscow-based Internet Protocol address in the server logs of an American social media company, according to a source familiar with the government’s Guccifer investigation.

… Working off the IP address, U.S. investigators identified Guccifer 2.0 as a particular GRU officer working out of the agency’s headquarters on Grizodubovoy Street in Moscow.”

[The Daily Beast, March 22, 2018]

Clearly, the claim made in the Daily Beast’s report is in direct contradiction with the growing mound of evidence suggesting that Guccifer 2.0 operated out of the United States. A detailed technical breakdown of the evidence confirming a West-Coast “last saved” time and how this counters the claims of the Daily Beast can be found in the Forensicator’s work.

The Forensicator explained to Disobedient Media that their discovery process was initiated by the following Tweet by Matt Tait (@pwnallthings), a security blogger and journalist. Tait noticed a change revision entry in one of the Word documents published in Guccifer 2.0’s second batch of documents, (uploaded 3 days after Guccifer 2.0 first appeared on the scene).

The Forensicator corrects Tait, stating that the timestamp is in “wall time,” (local time) not UTC. The Forensicator explains that Tait’s mistake is understandable because the “Z” suffix usually implies “Zulu” (GMT) time, but that isn’t the case for “track changes” timestamps. The Forensicator writes that the document Tait refers to in his Tweet is named Hillary-for-America-fundraising-guidelines-from-agent-letter.docx; it has Word’s “track changes” feature enabled. Guccifer 2.0 made a trivial change to the document, using the pseudonym, “Ernesto Che,” portrayed below:

The Forensicator correlated that timestamp (“12:56:00 AM”) with the document’s “last saved” timestamp expressed in GMT, as shown below courtesy of the Forensicator’s study:

Based on the evidence discussed above, the Forensicator concludes that Guccifer 2.0 saved this file on a system that had a timezone offset of -7 hours (the difference between 0:56 AM and 7:56 AM GMT). Thus, the system where this document was last changed used Pacific Timezone settings.

The logical conclusion drawn from the preceding analysis is that Guccifer 2.0 was operating somewhere on the West Coast of the United States when they made their change to that document. This single finding throws into shambles any other conclusions that might indicate that Guccifer 2.0 was operating out of Russia. This latest finding also adds to the previously cited evidence that the persona was probably operated by multiple individuals located in the United States.

Taken all together, the factual basis of the Russian hacking story totally collapses. We are left instead with multiple  traces of a US-based operation that created the appearance of evidence that Kremlin-allied hackers had breached the DNC network. Publicly available data suggests that Guccifer 2.0 is a US-based operation. To this, we add:

  • The Forensicator’s recent findings that Guccifer 2.0 deliberately planted “Russian fingerprints” into his first document, as reported by Disobedient Media.

  • A former DNC official’s statement that a document with so-called “Russian fingerprints” was not in fact taken from the DNC, as reported by Disobedient Media.

  • The media’s role in propagating the connection between early Russian hacking allegations and the Guccifer 2.0 persona, as reported by Disobedient Media.

In the course of the last nine months this outlet has documented the work of the Forensicator, which has indicated that not only were Guccifer 2.0’s “ngp-van” files accessed locally on the East Coast of the US, but also that several files published by the Guccifer 2.0 persona were altered and saved within the United States. The “Russian fingerprints” left on Guccifer 2.0’s first document have been debunked, as has the claim that the file itself was extracted from the DNC network in the first place. On top of all this, a former DNC official withdrew the DNC’s initial allegations that supported the “Russian hack” claim in the first place.

One hopes that with all of this information in mind, the long-suffering Guccifer 2.0 saga can be laid to rest once and for all, at least for unbiased and critically thinking observers.

Comments

Chris2 Tue, 05/29/2018 - 22:15 Permalink

Snowden talked about the NSA or is it CIA, had the ability to leave Russian fingerprints.

All of this was the "insurance" to frame Trump who they knew would win when they saw that Hillary rallies had 20 people only showing up few old lesbians and nobody else.

NiggaPleeze Okienomics Tue, 05/29/2018 - 23:33 Permalink

Perhaps but articles like this enhance the disinterest.  It's trivial to change a computer's timezone, I change mine all the time.  And even the clock itself, so when it says midnight, it's actually 3:00 pm. or whatever.  Or to change a computer's default language.  And if you are a hacker you would most certainly do those things, as a big part of the game is not getting caught (i.e., not leaving valuable clues).

Hence it is also part of a hacker's rules to use proxies and never directly attack a target.  In fact using multiple proxies in multiple countries, as is made possible by many programs (including Tor, though that is likely NSA compromised), to hide your trail.  Like in the spy movies, where they trace an internet or phone connection and it hops from one point to another and another and another ... and then the call disconnects a moment before they get to the "last hop" (lol).

None of this is evidence of anything non-speculative.  It doesn't advance the ball one iota.

Yawn.

In reply to by Okienomics

lookslikecraptome NiggaPleeze Tue, 05/29/2018 - 23:59 Permalink

yes ur actually correct. very very correct.     it is easy to get into ur bias and change all sort of stuff making it difficult to get accurate data forensically. Then there is ip spoofing as well as mac address spoofing...    And, who says guccifer could not have been in the US and still been a Russian.  

However, I do believe the msm is BS when it comes to Russian hacking the election and we do it also to other countries whenever we feel like it. 

 

I did not need any person to tell me Hilldog is and was a skank of the highest magnitude. 

In reply to by NiggaPleeze

A Sentinel Arctic Frost Wed, 05/30/2018 - 03:47 Permalink

Niggaplease is onto something. The timestamp is defined by time zone ... which to set to whatever you want.

And if you’re a real hacker, then your clock will have anomalies by definition because you’re scamming the license checking on a few dozen things.

If they’re not, but instead very professional, then likely they’re operating on sterile configurations (replicated os and software — ie clean installations) then the timezone is probably ignored but set long ago and far away by the configuration being used. (For instance many Windows installers assume you’re in Redmond Washington until you say something else.)

This analysis is ok if and only if some assumptions about the hackers are valid. But there are many, many variables.

It might be based on valid assumptions, but this summary gives no information or indication about any information that would underpin those assumptions. 

And in fairness, that stuff wouldn’t make for compelling reading.

In reply to by Arctic Frost

Arctic Frost NiggaPleeze Wed, 05/30/2018 - 00:11 Permalink

 

I think you’re missing the point. The DNC and Russian Narrative supporters use these “documents” as evidence that Guccifer 2.0 was established and working out of Russia. The analysis proves these documents do NOT support those claims. 

 

IMO, these articles were never meant to explain the Russian Narrative, but rather to come to certain conclusions through EVIDENCE rather than speculations or anonymous sources about the persona, Guccifer. The “claims” that Guccifer originated and worked from Russia are debunked through this analysis. It’s taken the “evidence” the public was given and proves it is no evidence at all.

In reply to by NiggaPleeze

NiggaPleeze Arctic Frost Wed, 05/30/2018 - 03:27 Permalink

Oh, I didn't know ZH was targeting those that believe the DNC/Russia narrative.  Those people won't have their minds changed by this article.  Anyway the author would be better off arguing as I did that all of this data is inconclusive and most likely deceptive, rather than try to use it to prove the source.  By doing so, the author is arguing that it is possible to know the source from these "fingerprints", which actually is a false claim.

So I stand by what I wrote.  It's just as much BS as the MSM's Russian fingerprint narrative.  You don't fight BS with BS, you fight it with truth.

In reply to by Arctic Frost

NiggaPleeze StychoKiller Wed, 05/30/2018 - 03:17 Permalink

Being qualified as having "in-depth" knowledge of TCP, I disagree.  In order to send a packet a connection has first to be established using a 3-step handshake.  This process requires a back-and-forth between the two IP addresses.  If the sender sends a false IP address (which would require controlling some infrastructure apart from the computer's or its router's own IP address, since most routers do not permit a packet to pass that has an IP address which could not come from where it's coming from), it simply could not establish a connection, hence it could not even begin the process of sending data (which itself requires backs-and-forths).

EDIT:  that is why hackers use proxies and gateways (such as Tor) to hack.  Spoofing your own IP address doesn't work so you have to obfuscate it.  Each server will generally log where connections to it come from, so you look to find intermediate machines.  Now of course those can be searched as well, but if it's a client desktop (like Windows), they generally don't log connections.  To be sure of that, hacker toolkits will delete logs on each compromised computer after an attack.  Authorities may still be able to track it though if the ISP or some routers did logging, so it's safer to use a number of compromised computers in different countries (making it more difficult to get subpoenas to analyze logs in computers and/or routers).

In reply to by StychoKiller

DCFusor NiggaPleeze Wed, 05/30/2018 - 10:30 Permalink

Unless you're sitting on the wire, you might not know that an address in a header (at that level in the OSI protocol stack) isn't necessarily the same one as on the wire at the lower level used to do the handshake.  Arcane, but as someone who has made that mistake by accident when learning this in the windows 3.1 days...I know that while this violates what would be "normal form" in a database, it IS what happens.  It's real easy to spoof email return a addresses for a semi-related example - the number at the lowest level need not match what's supposed to be a tracking copy in the header.

(and NP - know about BGP spoofing?  You can use a temporarily fake IP even for the handshake and at that lowest level...)

Yes, at some levels you can spoof IP addresses and of course the lower level MAC address used for most local lookups between IP and MAC.

Real basic stuff you can find in any script kiddie dox - or any pen testing linux distro will have those tools for use at the idiot level - you don't have to know how to make it work in Kali or Parrot.

My software outfit also wound up writing a browser for the "OLE Storage" filesystem that is called the undocumented file format for MS Office (it's documented a little bit in MSDN but very hard to find) - this would show us all the sub directories in that filesystem in a file, and things like the GUIDs and identities of any embedded objects, the above noted change tracking and so on.  Pretty obscure and you had to find it out by trial and error if you didn't work for the Office team at MS.

While your computer mostly does know what you told it...or heck the equivalent of NTP time service or some cookie from the internet told it, or someone with access to it told it, or...I guess that sadly, that statement is completely meaningless, sorry Gator.  Unless by "you" you mean anything it's ever been hooked up to.  A skilled person can make any set of bits they want.  Any.

None of which really adds to the discussion, other than suppositions by people who think "it must have been like this" about a bag of bits they don't know the normal format of, much less this bag in detail and where it's been...are meaningless in the extreme.   As a programmer and architect for >40 years who has done everything from mini-opsys for embedded to drivers for windows and linux to product development for some things you probably use every day (VoIP comes to mind) - I've got that Tee shirt.  And I'm well known for having it - this handle I use here isn't a big secret.

What I see here is pure speculation by those who only know enough to invoke Dunning-Kruger.  And with no chain of possession of evidence on top, well, speculating is fun and I do it as much as the next guy, but that's all it is and it's important to look maybe at the other usual suspects - motive, opportunity and so on.

You come to about the same answer anyway, but it's better to be honest about it when fighting BS - don't use BS, use truth.

In reply to by NiggaPleeze

Arctic Frost beemasters Wed, 05/30/2018 - 00:30 Permalink

 

Actually, in today’s climate what ISN’T a distraction? I always ask myself this: Exactly WHAT has actually HAPPENED? You’ll find the answer is more often than not, “Nothing.” Once I go at it from that angle I find that “nothing” is really nothing to get worked up about. I don’t always succeed, but it’s a good place to start.

In reply to by beemasters

LetThemEatRand Tue, 05/29/2018 - 22:16 Permalink

Meanwhile, Snowden risked his life and liberty to show us evidence that the NSA developed technology to make it appear even with expert analysis that NSA hacking originated from a foreign power.   

PodissNM Tue, 05/29/2018 - 22:26 Permalink

I've never believed Guccifer 2.0 was a real hacker based simply on the name. Took another hackers handle and put 2.0 on the end? I don't believe any real hacker would do something so lame. 

Chief Joesph Tue, 05/29/2018 - 22:29 Permalink

Like most hacks in the U.S. , they are homegrown, not of Russian descent, or Chinese, or anyone else outside the country.  It's about time they did a good forensic analysis of the communications to track them down instead of making false accusations.

Posa Tue, 05/29/2018 - 22:37 Permalink

If Binney and Co are correct (and t seems they are) that the DNC documents were downloaded on a thumb drive, then the Guccifer caper was a cover-up operation designed to pin it all on the Russians.

Slammofandango Tue, 05/29/2018 - 23:09 Permalink

This is interesting information but let us remember, no amount of evidence in support of the DNC servers being hacked, precludes the possibility of a concurrent leak. 

Even if Guccifer 2.0 stole data over the internet, that's no reason to then believe Seth Rich or someone like him at DNC headquarters could not have also stolen data from that location by downloading it on to a memory stick and arranging for it to be given to Ambassador Craig Murray at a DC park like Murray says happened.

The plausibility of Assange's story never was based upon an 'either or' scenario.

 

I love your wife Tue, 05/29/2018 - 23:15 Permalink

You know how I know Guccifer 2.0 is the DNC?  Because its the most un-fucking original name - a total dumbass rip-off of the real hacker, Guccifer.  DNC never has a fresh or original thought. 

911bodysnatchers322 Wed, 05/30/2018 - 01:00 Permalink

>  Working off the IP address, U.S. investigators identified Guccifer 2.0 as a particular GRU officer working out of the agency’s headquarters on Grizodubovoy Street in Moscow.”

 

Omg.  They tracked the IP address.   Everyone knows you can just track any IP address in realtime using visual basic algorthim AI back to either CIA or GRU headquarters, because computer forensics is easy, even thru 77 proxies and onion routers and hillary's blackberry bathroom server

Aerows Wed, 05/30/2018 - 01:23 Permalink

Chelsea Clinton sits on the BoD of the company that own the Daily Beast.  Forget even a shred of credibility coming out of that outfit.