Guccifer 2.0 Mysteries Solved

By Adam Carter - April 30, 2018

This is a very brief outline of a new Guccifer 2.0 related discovery made over the past 48 hours.

The discovery was made by Forensicator and the analysis is still ongoing (so this is just a short interim report so people aren't left waiting for days for the complete analysis).

I'm just publishing this temporarily as I did post on Twitter a few hours ago stating that I would be reporting on this today.

A more detailed article will be out later in the week.

Observations & Conclusions From 2017

One of the observations made regarding Guccifer 2.0 over the past year was the presence of Warren Flood's name on several documents (among the first documents G2 released).

It was assumed that this was most likely due to the computer/software configuration on which Guccifer 2.0 had created an initial pre-tainted template document (with Russian "fingerprints") which was then saved and duplicated several times with each copy having different body content pasted in (to produce a series of tainted documents).

From this, I inferred that it was plausible for the documents to have come from Biden's office due to Flood being Biden's former IT Director.

The latest evidence found by Forensicator, however, discredits that premise and it also gives us a more compelling explanation for the observations that were made.


Flood's Name Found On Legitimate Podesta Attachments

As some of you may know, G2's first five documents were all constructed to have content in them that we would later learn came from atachments to Podesta's emails.

What most of us didn't know until now though, was that Warren Flood's name appears on some of Podesta's attachments, in fact, it looks like the title and other meta data came from one of the two legitimate documents attributed to Flood.

The files are attached to two separate leaked emails::



Guccifer 2.0 Didn't Create The "Confidential" Watermark

Towards the end of 2017, the mainstream press reported that Guccifer 2.0 had manipulated his Trump Opposition Research document to add the "Confidential" watermark

This appears to have been a slight misconception too.

It's true the original Trump Opposition Research document (attached to this leaked email) had no watermark or footer and it's true that Guccifer 2.0's version had the watermark and the page-number part of the footer:

What appears to have happened is that one of Flood's two "Slate - Domestic.." documents linked to above was opened up, the watermark was changed from "CONFIDENTIAL DRAFT" to "CONFIDENTIAL" and the date segment of the footer was removed.

Here's a screenshot of one of those Flood-authored original documents:



From Forensicator's initial observations, It now appears that the watermark, the footer and Flood's details in the metadata likely came from one of the two Flood-authored Podesta email attachments and that the contents of the Trump Opposition Research file were then copied into it.

This considerably reduces the likelihood of the premise that G2 created his documents on a computer previously owned by Flood and pretty much serves to vindicate Biden's West Wing Office, etc. too.

The files, the data within them and associations/correlations/etc are being analyzed further, we will hopefully know in the next day or two which of Flood's documents was actually used initially.

Forensicator's discovery has slightly lowered my confidence in the interim attribution that I've made but it hasn't changed that attribution, I still see CrowdStrike executives as the most probable operators of the G2 persona (due to all the other evidence considered in aggregate).

That's the new discoveries very briefly covered for now but as mentioned at the start of this article - a more detailed report (as well as a few article updates where needed) will be coming out through the remainder of the week.


(UPDATE: Forensicator's detailed analysis covering this is available here.)