Guccifer 2.0: Game Over - Evidence of Intent

This article will provide you with independent reference materials and links to articles from Guccifer2.0's blog and will help you to see for yourself - the evidence of WHAT Guccifer2.0 was.

This is the "minimal-guidance" version of this article - it is intended for those wanting to find their own way to the evidence without having everything explained and without being told the result.

There is also a "guided" version of the article here that explains what was discovered and what it means.

I would prefer that you inspect the documents yourself (you'll be provided with a single stylesheet RSID reference that you will check for in 3 documents - that's all you need to do with the files) and then consider the implications of what you found and what it means - and figure out what others have discovered about Guccifer 2.0.

Metadata also corroborates with what we've found too - but for the sake of this article, we are focusing on a single correlation of an RSID referenced across several documents, and the metadata is not needed to support the finding. - The anomalous RSID correlation and differing RSIDs for the content in each document demonstrates how the files were constructed even on it's own.

Source Materials

Please download the following files: (link) (link) (link)

Mirror copies are available below (please use originals above if available):

Host: -> 1.doc 2.doc 3.doc
Host: -> 1.doc 2.doc 3.doc

Reference Materials

Download Word 2007: Rich Text Format (RTF) Specification, version 9 (Page 36 covers RSIDs)

Investigation Hints

To undestand and interpret the evidence - you will need to understand what RSIDs (Revision Save IDs) are and the circumstances in which they change or stay the same - and understand what it means when they are identical across multiple documents.

Across all 3 documents, search for text string:

\styrsid11758497 No Spacing;

This is the end of a stylesheet rule, each rule is encapsulated in curly braces ("{", "}")

Look at the language set within that stylesheet rule. (This may help: Microsoft Locale ID Values)

RSIDs (such as 11758497 is) can only change under certain circumstances.

Consider how the same RSID is found on all 3 documents but the body contents of each has it's own separate RSID.

You should be able to identify chronology of data being added to the file and from that ascertain how the documents were constructed and what the intent was.

If you understand when RSIDs change and understand the RTF data (which can be achieved with the reference materials provided) - you will be able to recognize Guccifer2.0's intent and will no longer need to rely on believing the claims that others make.

If you're confused and struggle to interpret what this all means... work with others, discuss it, investigate together and see if you can figure it out. - Please only use the guided version (link near the top of this article) when you've exhausted all opportunity to figure this out for yourself... I really don't want to lead you to the conclusion if you can find your own way there.

When you have figured it all out, we can look at the metadata... INTENT CONCLUDED