Guccifer 2.0's Multi-Stage Fingerprint Fabrications: RSIDs

UPDATE (June 2nd 2017): This article has had it's title changed. The original title was "Evidence of Intent", however, it was correctly pointed out by Rob Colbert of Disobedient Media that the RSID evidence alone doesn't actually demonstrate intent. - This is true, in isolation, the RSID evidence only tells us about how the fingerprints were produced, it does not explain why they were produced. - To ascertain intent it is necessary to have knowledge of Guccifer 2.0's debunked claims, attribution efforts, the type of content he was apparently leaking and the timing of his actions & statements in relation to other events.

This article will provide you with independent reference materials and links to articles from Guccifer2.0's blog so that you can check and verify that the fingerprints in Guccifer 2.0's first 3 files were created through an unusual process, for some reason starting off with a blank template (with Russian style sheet attached) saved as 3 pre-tainted template files (with content from real documents copied and pasted into them in separate revision save sessions at a later time)

If that all sounds like jibberish - you'll probably benefit more by reading: "Guccifer 2.0's First Five Documents: The Process"

Credit for the original discovery of the anomalies highlighted in this article belongs to u/tvor_22 - The article he wrote about this discovery is: Russia and WikiLeaks: The Case of the Gilded Guccifer


Source Materials

https://guccifer2.files.wordpress.com/2016/06/1.doc (link)
https://guccifer2.files.wordpress.com/2016/06/2.doc (link)
https://guccifer2.files.wordpress.com/2016/06/3.doc (link)

Mirror copies are available below (please use originals above if available):

Host: d3f.uk -> 1.doc 2.doc 3.doc
Host: g-2.space -> 1.doc 2.doc 3.doc

You may also be able to use your browser to directly see the contents of the files as source code (see instructions below).


Reference Materials

Download Word 2007: Rich Text Format (RTF) Specification, version 9 (Page 36 covers RSIDs)
www.microsoft.com/en-gb/download/details.aspx?id=10725


Intent Identification Process

First thing to know, is that we are dealing with RTF format .doc files. - This is good news for us as it makes it easier for you to interpret than a binary file and means you can inspect the files using a raw text editor (eg. Notepad/Textpad/etc.) - If you have difficulty opening up the files, just change the extension from ".doc" to ".txt".

You might be able to copy and paste the following into your browser's address bar to view the original files as text too:

view-source:https://guccifer2.files.wordpress.com/2016/06/1.doc
view-source:https://guccifer2.files.wordpress.com/2016/06/2.doc
view-source:https://guccifer2.files.wordpress.com/2016/06/3.doc

In all 3 documents, the following text string (a stylesheet definition) exists:

{ \s108\ql \li0\ri0\widctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0\contextualspace \rtlch\fcs1 \af1\afs20\alang1025 \ltrch\fcs0 \f1\fs20\lang1049\langfe1049\cgrid\langnp1049\langfenp1049 \sbasedon0 \snext108 \slink107 \sqformat \spriority1 \styrsid11758497 No Spacing;}

The fact that we find this in all 3 documents with matching RSID (Revision Save ID) numbers means that they all were based on the same document at some point.

The "lang1049", "langfe1049", etc. parts of the string show that this is set to Russian language. (This may help: Microsoft Locale ID Values)

From this, we can conclude that all 3 documents were based off an original document that already had "Russian-fingerprints" associated with it and the content was added to each in a separate revision save session.

If they were separate documents that had these specific "Russian-fingerprints" accidentally added while being handled - they would all have different RSIDs. - The only way for what we observe to have happened - is for all 3 files to be constructed starting off as a pre-tainted template document.

Would Russia REALLY apply Russian fingerprints on purpose to leaked files like this?

Not that it's needed to prove the files were constructed in an unusual manner, but there is also the META DATA ...