Guccifer 2.0: Game Over - Evidence of Intent

This article will provide you with independent reference materials and links to articles from Guccifer2.0's blog and will help you to see WHAT Guccifer2.0 was. (An important first step in being able to understand who Guccifer2.0 really was)

Credit for the original discovery of the anomalies highlighted in this article belongs to u/tvor_22 - The article he wrote about this discovery is: Russia and WikiLeaks: The Case of the Gilded Guccifer

This is the "guided" version of this article - it is intended for those who have difficulties with the "minimally-guided" version and evaluating the data and implications for themselves.

The "minimally-guided" version of the article is here. - I would like people to use the minimally guided verson by preference as this allows you to see and evaluate the evidence by yourself without being provided with a conclusion. - This version provides you with the answers but you CAN discover these by yourself with an investment of time and cognition.

Metadata corroborates with what we've found too - but for the sake of this article, we are focusing on a single correlation of an RSID referenced across several documents, and the metadata is not needed to support the finding. - The anomalous RSID correlation - is ALL that is needed to demonstrate INTENT.

What this means and what should happen as a result of these findings will be added to a conclusions page, a link to which will also be added to both versions of the article - when it's ready.

Source Materials (link) (link) (link)

Mirror copies are available below (please use originals above if available):

Host: -> 1.doc 2.doc 3.doc
Host: -> 1.doc 2.doc 3.doc

You may also be able to use your browser to directly see the contents of the files as source code (see instructions below).

Reference Materials

Download Word 2007: Rich Text Format (RTF) Specification, version 9 (Page 36 covers RSIDs)

Intent Identification Process

First thing to know, is that we are dealing with RTF format .doc files. - This is good news for us as it makes it easier for you to interpret than a binary file and means you can inspect the files using a raw text editor (eg. Notepad/Textpad/etc.) - If you have difficulty opening up the files, just change the extension from ".doc" to ".txt".

You might be able to copy and paste the following into your browser's address bar to view the original files as text too:


In all 3 documents, the following text string (a stylesheet definition) exists:

{ \s108\ql \li0\ri0\widctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0\contextualspace \rtlch\fcs1 \af1\afs20\alang1025 \ltrch\fcs0 \f1\fs20\lang1049\langfe1049\cgrid\langnp1049\langfenp1049 \sbasedon0 \snext108 \slink107 \sqformat \spriority1 \styrsid11758497 No Spacing;}

The fact that we find this in all 3 documents with matching RSID (Revision Save ID) numbers means that they all were based on the same document at some point.

The "lang1049", "langfe1049", etc. parts of the string show that this is set to Russian language. (This may help: Microsoft Locale ID Values)

So we KNOW that all 3 documents were based off an original document that already had "Russian-fingerprints" associated with it and the content was added to each in a separate revision save session.

If they were separate documents that had these specific "Russian-fingerprints" accidentally added while being handled - they would all have different RSIDs. - The only way for what we observe to have happened - is for all 3 files to be constructed starting off as a pre-tainted template document.

Would Russia REALLY apply Russian fingerprints purposefully to leaked files like this?

Now let's combine the metadata... INTENT CONCLUDED