NTK.com – Don't believe a word they say!

Fake Whistleblowers exposed


ASIS and WikiLeaks Exposed – GRU Indictment a Fake



The DNC Files Were a Leak As Were the Podesta E-Mails: Seth Rich Was Killed or on a Kibutz???







July 13, 2018 – POST ONE: I have never outed a real source but if the “source” is a fake and carrying out a spook operation or part of one then the rules regarding “sources” do not apply. Forensically it has been proven that the DNC E-Mails were hacked and downloaded onto a USB drive with a portable Linux Operating system installed on it. The computer with the files on it was simply switched off and then rebooted from the USB drive which loaded the Linux OS which of course had root access to the drives. Very simple and anyone with even elementary computer knowledge could have done it.

As a former WikiLeaks associate who knows that all of the real hackers and activists and leakers and truthers have been eradicated except one or two, it gives me great pleasure to expose any of the CIA/NSA spook operators running the fake WikiLeaks Ops, and here I will present one of them to you.

If CIA Twitter had not deleted all of my Twitter accounts and banned me for life you would have been able to correlate and analyze the times and release dates of the Podesta E-Mails and you would have found that on numerous occasions I was uploading the Podesta E-Mails onto JAR2 sometimes as much as several hours BEFORE WikiLeaks.

So what do the Podesta E-Mails have to do with the DNC Leak?

I could not report on this earlier because I was not sure that the person behind the file transfer location was in fact a SPOOK but now it can be stated with almost 100% certainty that the person named “Mike” is probably an MI6 operative connected to the Cambridge Analytic quagmire and the actual real life meddling in the US Election process that they are trying to blame on Russia. I also could not expose this persona earlier because I was not sure if the person may have just been an innocent “associate” like me but since this persona keeps on rolling and is now admitting they were an inside player in the WikiLeaks Limited Hangout you can be certain it is a SPOOK.

Given information I have I would say the person is ASIS and/or MI6 because they are located in the UK but that is going to be for future research and outing the real person behind Mike will be for the LULZSEC people hiding in the shadows, so right now let’s meet Mike “the Dyke or something” and then I will share with you where the Podesta E-Mails were actually coming from and where WikiLeaks and I were actually downloading them from.

This persona knows the DNC E-Mails were a leak and not a hack and knows there was no Russian connections because this persona was responsible for uploading the files in question for WikiLeaks, yet this persona does nothing to counter the claims that it was GRU or Russian Intelligence because this persona has to cover their own ass and making Russia the scapegoat is the way of choice these days for every kind of Cyber Spook Operator possible. So here I go again defending Russia as I get screwed left and right but the TRUTH is what matters!

Meet Michael Best aka Mike Best aka Emma Best, another supposedly “sexually challenged” trans figure (could it be Bradley Manning?) I thought of that but no, so according to my research which I will reveal when the time comes this is him, her, it, whatever….

Michael Best aka Mike Best aka Emma Best ASIS/Rothschild/CIA FVEY Agent

So where and how were the Podesta and DNC files being transferred to WikiLeaks? And thus where is the TOP SECRET WikiLeaks data transfer location? How do I know this. I told you I am the last living and free REAL WikiLeaks Associate and my investigation into the PSYOP freaks is over…..

Don’t bother saying hi for me but you can tell them their asses are cooked. So without further ado here are the links and the rest is up to you LULZSEC/ZEROSEC/ANONYMOUS guys to fill in the cyber details:

Michael’s Official “Job” is of course a propaganda creator like Joseph Farrell.


Michael’s alter personas are Mike Best who turned into Emma Best following the NWO trans agenda.



SO where is this top secret file transfer hub and where was I pulling all of the WikiLeaks’ “releases” and the Podesta Files from? First I want to say that now that they know I knew they will wonder how much shit that they deleted and tried to hide I actually already have and intercepted. Tsk tsk tsk. And now for the DRUM ROLL PLEASE!!!!! (I always wanted to say that)

And the SECRET ASIS/WikiLeaks/CIA file transfer hub is…………. TA DUM https://archive.org/ 

Can I be more specific? OKAY First the RAW zipped Podesta E-Mails were being uploaded by the user Mike Best, then we downloaded and posted immediately while WikiLeaks was either delayed or doing their little formatting jobs and censoring the really bad stuff… All an investigator or researcher has to do is get access to the upload/download logs I can not help much as all my meta data was primarliy on Twitter but I am sure with the right forensic tools the RAW files on JAR2 can be analyzed to determine donwload, creation and post times… We stopped World War III and if we saved even one child it was worth it so if I am worried about implicating myself in publishing files the publi has a right to know about and expoing the completely fraufulent and fake nature of the US ELection System so be it. As a journalist I fulfilled my responsibility to inform, if mass-murdering Clinton was slowed down that is wonderful.





OKAY so now what? WIll anyone pay attention to this? Will this go viral as it should? Hell no. We are not an Op and are truly exposing their fakery so therefore of course not but those few survivng WikiLeaks associates in hiding and the Hackers and Hacktivists still fighting in the Shadows now know as well as anyone else who matters. There you go. The big secret. Russian hackers had nothing to do with the DNC but the Australian Secret Intelligence Service and MI6 did. Please spread and PLEASE SUPPORT JAR2!!! We are starving to death over here!!!

DNC Was a LEAK Not a HACK!!!!

New evidence shows DNC server files were downloaded directly to USB drive, not hacked by Russians

New meta-analysis has emerged from a document published today by an independent researcher known as The Forensicator, which suggests that files eventually published by the Guccifer 2.0 persona were likely initially downloaded by a person with physical access to a computer possibly connected to the internal DNC network. The individual most likely used a USB drive to copy the information. The groundbreaking new analysis irrevocably destroys the Russian hacking narrative, and calls the actions of Crowdstrike and the DNC into question.

The document supplied to Disobedient Media via Adam Carter was authored by an individual known as The Forensicator. The full document referenced here has been published on their blog. Their analysis indicates the data was almost certainly not accessed initially by a remote hacker, much less one in Russia. If true, this analysis obliterates the Russian hacking narrative completely.

The Forensicator specifically discusses the data that was eventually published by Guccifer 2.0 under the title “NGP-VAN.” This should not be confused with the separate publication of the DNC emails by Wikileaks. This article focuses solely on evidence stemming from the files published by Guccifer 2.0, which were previously discussed in depth by Adam Carter.

Disobedient Media previously reported that Crowdstrike is the only group that has directly analyzed the DNC servers. Other groups including Threat Connect have used the information provided by Crowdstrike to claim that Russians hacked the DNC. However, their evaluation was based solely on information ultimately provided by Crowdstrike; this places the company in the unique position of being the only direct source of evidence that a hack occurred.

The group’s President Shawn Henry is a retired executive assistant director of the FBI while their co-founder and CTO, Dmitri Alperovitch, is a senior fellow at the Atlantic Council, which as we have reported, is linked to George Soros. Carter has stated on his website that “At present, it looks a LOT like Shawn Henry & Dmitri Alperovitch (CrowdStrike executives), working for either the HRC campaign or DNC leadership were very likely to have been behind the Guccifer 2.0 operation.” Carter’s website was described by Wikileaks as a useful source of primary information specifically regarding Guccifer 2.0.

Carter recently spoke to Disobedient Media, explaining that he had been contacted by The Forensicator, who had published a document which contained a detailed analysis of the data published by Guccifer 2.0 as “NGP-VAN.”

The document states that the files that eventually published as “NGP-VAN” by Guccifer 2.0 were first copied to a system located in the Eastern Time Zone, with this conclusion supported by the observation that “the .7z file times, after adjustment to East Coast time fall into the range of the file times in the .rar files.” This constitutes the first of a number of points of analysis which suggests that the information eventually published by the Guccifer 2.0 persona was not obtained by a Russian hacker.

Indictment Against GRU Officers is a FAKE There is NO Evidence



New The Special counsel Robert Mueller issued an indictment (pdf, 29 pages) against 12 Russian people alleged to be officers or personal of the Russian Military Intelligence Service GRU. The people, claims the indictment, work for an operational (26165) and a technical (74455) subunit of the GRU.

A Grand Jury in Washington DC issued 11 charges which are described and annotated below. A short assessment follows.

The first charge is for a “Conspiracy to Commit an Offense Against the United States” by stealing emails and leaking them. The indictment claims that the GRU units sent spearfishing emails to the Hillary Clinton campaign and the Democratic Party organizations DNC and DCCC. They used these to get access to email boxes of John Podesta and other people. They are also accused of installing spyware (X-agent) on DNC computers and of exfiltrating emails and other data from them. The emails were distributed and published by the online personas DCLeaks, Guccifer II and later through Wikileaks. The indictment claims that DCLeaks and Guccifer II were impersonations by the GRU. Wikileaks, “organization 1” in the indictment, is implicated but so far not accused.

Note: There is a different Grand Jury for the long brewing case against Julian Assange and Wikileaks. Assange has denied that the emails he published came from a Russian source. Craig Murray, a former British ambassador, said that he received the emails on a trip to Washington DC and transported them to Wikileaks.

The indictment describes in some detail how various rented computers and several domain names were used to access the DNC and DCCC computers. The description is broadly plausible but there is little if any supporting evidence.

Charge 2 to 9 of the indictment are about “Aggravated Identity Theft” for using usernames and passwords for the personal email accounts of others.

Charge 10 is about a “Conspiracy to Launder Money”. This was allegedly done “through a web of transaction structured to capitalize on the perceived anonymity of cryptocurrencies such as bitcoin”. It is alleged that the accused mined bitcoins, channeled these through dozens of accounts and transactions and then used them to rent servers, virtual private network access and domain names used in the operation.

Note: The indictment reinforces the author’s hunch that bitcoin and other cryptocurrencies are creations and playgrounds of secret services just like Tor and other ‘cool’ internet ‘privacy’ stuff are. Its the very reason why one should avoid their use.

Charge 11 of the indictment is a “Conspiracy to Commit an Offense Against the United States”. It claims that some of the accused hacked into state boards of elections and into U.S. companies providing elections related software.

Note: Other reporting found that the alleged attack resulted in no changes to the election results or other damage.

The Unites States will seek forfeiture of the valuables the accused may have within the United States as part of any sentencing of the accused.


It is not by chance that this indictment was published now, a few days before the first summit between Donald Trump and the Russian President Vladimir Putin and shortly before the successful soccer world championship in Russia ends. The release intends to sabotage the talks.
The indictment describes a wide ranging operation but includes zero proof of anything it alleges.
Mueller likely hopes that the indictment will never come in front of a court. The alleged stuff would be extremely difficult to prove. Any decent lawyer would ask how the claimed information was gained and how much of it was based on illegal snooping by the NSA. Something the U.S. would hate to reveal.
It is unlikely that there will ever be a trial of these cases. The indicted persons are all Russians in Russia and none of them is likely to be stupid enough to follow an invitation to Las Vegas or to Disney World.

But who knows?

In February Mueller indicted the Russian Internet Research Agency, a clickbait farm run for commercial purpose, of influencing the U.S. election. The expectation then like now was that there would never be trial. In a surprise move one of the accused Russian companies, Concord Management, took up the challenge and demanded discovery. Mueller then tried to delay the hand over of evidence (which he probably does not have.) A judge rejected the attempt. The case is pending.

Deputy Attorney General Rosenstein, who announced the indictment, also made three points that will likely get little coverage. He said (video) that there are no allegations in the indictment that:

any American knew that they were in contact with Russians or with a Russian operation, any American committed a crime in relation to this, that the operation changed or influenced the election.

The indictment, which may well be made up and is unlikely to ever be tested in court, will reinforce the “Russia is an enemy” campaign which was launched way before the 2016 election. It will reinforce the believe of some Democrats that Russia, and not the selection of a disgusting candidate, cost Hillary Clinton the presidency.

The detente with Russia which U.S. president Donald Trump tries to achieve will now be more difficult to implement and to sustain.

F@CKTARD OP! The Whining Liberal Deep State Satanic Baby Raping Scum Never Stop Trying

The bastards never stopping trying to discredit everything I say and do. This attmept has no relation to me or my son. SCUM! This is the ongoing Twitter butt hurt sheeple crap they are doing against us thinking that if I was banned for life from Twitter they could get away with anything, nope!

Guccifer 2’s West Coast Fingerprint – Introduction

SOURCE: https://theforensicator.wordpress.com/guccifer-2s-west-coast-fingerprint/ 


THE FORNSICATOR’S INFORMATION: In this report, we analyze the time zone offset that was likely in force when Guccifer 2’s first five (5) Word documents were written. We also look at the time of day pattern of the “last modified” times for the 25/so documents that Guccifer 2 modified and then uploaded to his blog site.

Finally, we look at one particular Word document that Guccifer 2 uploaded, which had “track changes” enabled. From the tracking metadata we deduce the time zone offset in effect when Guccifer 2 made that change — we reach a surprising conclusion: The document was likely saved by Guccifer 2 on the West Coast, US.


Using a technique recently disclosed by another researcher (David Blake), we were able to establish GMT time zone offsets for Guccifer 2’s first five (5) Word documents. Four of those documents (1.doc, 2.doc, 3.doc, and 5.doc) were created with GMT+3 time zone settings in effect. (During the summer of 2016, GMT+3 would have applied to Central Europe, the Middle East, and Western Russia.) One document, 4.doc, was created with GMT+4 time zone settings in force.

We deduce that 4.doc‘s GMT+4 time setting indicates that Russian time zone settings were in force when that document was saved. This conclusion derives from the possible use of an outdated cracked Windows XP OS which did not receive updates to its time zone tables. Hypothetically, this unpatched OS was not updated to reflect the fact that Moscow/Russia dropped Daylight Saving Time for Western Russia in 2014. This conclusion also depends upon the user not adjusting their time zone offset manually for over three months after the time zone should have been corrected.

Given that the user did not manually disable the DST time adjustment, we suggest that 4.doc may have been created on a VM that was purpose-built to “telegraph” the use of Russian time zone settings.

We construct a histogram of the time of day that Guccifer 2 last modified the 25/so documents that he changed mainly for the purposes of manipulating their metadata (such as “last saved by” user, company name, etc). This histogram supports the conclusion that Guccifer 2 operated out of a region with a GMT+3 time zone offset in force.

We analyze the timestamp on an internal “track changes” entry created by Guccifer 2 when he modified a document that was published in his second batch of documents that were uploaded to his WordPress site. We correlate this timestamp to the document’s “modified” (“last saved”) time recorded in the document’s metadata. Based on this analysis, we reach the surprising conclusion that this document was created on a system which had Pacific Daylight Saving Time (PDT) settings in force, when the change was made.
The PDT finding draws into question the premise that Guccifer 2 was operating out of Russia, or any other region that would have had GMT+3 time zone offsets in force. Essentially, the Pacific Time Zone finding invalidates the GMT+3 time zone findings previously described.


David J. Blake (@HisBlakeness) discovered [archive] a technique that can be used to figure out the timezone offset that was in force when a legacy (.doc) Word document was saved. We use Blake’s method on Guccifer 2’s first five Word documents, in this report.
Matt Tait (@pwnallthings), a security blogger/journalist, began following Guccifer 2, early on and extensively. Matt started a Twitter mega-thread here. In one particular tweet [archive], Tait noticed that “track changes” was enabled for a particular document, and that Guccifer 2 had made a small change under the name “Ernesto Che”. His observation prompted us to analyze the date/time of this change. Based on our analysis, we conclude that this document was likely last modified by Guccifer 2 on the West Coast, US.


The following timeline summarizes some key events and developments as they relate to the analysis of Guccifer 2’s early document disclosures. For a much more detailed timeline, consult Adam Carter’s Guccifer 2 timeline.

[2013-07-13] As noted by Thomas Rid (@RidT), the original Guccifer (Marcel Lazăr Lehel) disclosed a similar version of Guccifer 2’s 4.doc in the summer of 2013. Additional metadata analysis indicates that the source document dates back to the time of the Obama administration (2008).

[2016-06-14] Via the Washington Post [archive] the DNC announced it has been hacked. The WaPo article mentions (in its headline and in the body of the article) that they fear that a Trump opposition research document (now known as 1.doc from Guccifer 2) may have been stolen by Russian state-sponsored operatives.

[2016-06-15] The security firm, Crowdstrike, who was hired by the DNC, published a blog [archive] which attributed the alleged DNC hack to Russian state actors.

[2016-06-15] Guccifer 2 arrived on the scene that same day. Guccifer 2 quickly published ten (10) Office documents on his WordPress.com blog [archive]. Five (5) of those are Word documents; they are analyzed in our companion report, Did Guccifer 2 Plant his Russian Fingerprints?. Guccifer 2 initially posed as a Romanian (lone wolf) hacker, but as time went on his story began to deteriorate. Some pundits quickly assigned Russian attribution to Guccifer 2, partly due to Cyrillic artifacts in his first five Word documents. Also, in an online chat, it was observed that Guccifer 2 had weak fluency in Romanian.

[2016-06-15] That same day, two media outlets published stories, covering 1.doc (the DNC sourced “Trump opposition report”), which was apparently pre-disclosed to them by Guccifer 2. Those media outlets were The Smoking Gun [archive] (TSG) and Gawker [archive].

[2016-06-15] Matt Tait (@pwnallthings), a security blogger/journalist, began following Guccifer 2. Matt started a Twitter mega-thread here. Matt’s involvement with Guccifer 2 will cause him to be interviewed by Mueller as part of the Mueller investigation of Michael Flynn [archive] in October, 2017.

[2016-06-16] One day later, a well known online media outlet, Ars Technica [archive], (which covers technology topics) reviewed the PDF [archive] posted by Gawker; this PDF is derived from 1.doc. Ars Technica noticed the presence of error messages located in the last few pages of the 200+ page PDF. Those messages were written in Russian (using the Cyrillic alphabet).

[2016-06-18] Guccifer 2 published his second batch of documents. One document from that batch had “track changes” enabled in Word; we focus on that document in this report.

[2016-06-18] In a tweet [archive], Tait noticed a document with “track changes” that Guccifer 2 had uploaded that same day. He reported on a small change that was made under the name “Ernesto Che”. His observation prompted us to analyze the date/time that this change was made. Based on our analysis, we conclude that this document was likely last modified by Guccifer 2 on the West Coast, US.

[2016-10-07] Wikileaks released their first batch of Podesta emails. Per our analysis, all five of Guccifer 2’s first five Word documents (and an additional document used as a template) can be matched with source documents that were included as attachments to Podesta’s emails. We do not conclude that Podesta’s emails were the actual source of Guccifer 2’s first five Word documents, but note that this conclusion cannot be ruled out.

[2018-02-16] David J. Blake (@HisBlakeness) published his research [archive] that suggests that Guccifer 2’s first two documents were created with GMT+3 time zone offset settings in force.

Analysis The Blake Method: Use the Datastore to Calculate a UTC Offset

Recently, blogger/researcher, David J. Blake (@HisBlakeness) offered some interesting new observations and theories regarding Guccifer 2. Blake made this key discovery [archive].

Blake discovered that some legacy (.doc and .rtf) Word documents contain an internal “datastore” object – this “datastore” object has an internal timestamp that is expressed in UTC (closely equivalent to GMT) time. The containing legacy Word document records times (to the minute) in local time. This means that we can take the “last saved time” (in local time) of the Word document and subtract the datastore time from it (recorded in UTC time) to determine the GMT offset in force at the time that the document was saved.

Blake mentions the “MSODatastore” object; this is a form of “datastore” object introduced by Word 2007.

We observe that some legacy Word documents do not have an MSODatastore objects but still have datastore objects that can be used to determine the GMT offset in force when they were saved. Guccifer 2’s, 4.doc and 5.doc fall into this category.

Using the Blake Method, we Find the GMT Offset for Guccifer 2’s First Five Documents

We augmented Blake’s results by applying his method to 3.doc, 4.doc, and 5.doc – which were not covered in his write up.

A tab-separated file with the data above can be found here.

We will describe a theory that we think explains the GMT+4 time zone offset. First, we need to present some additional facts and observations as support for that theory.

Did Guccifer 2 Disclose Other Documents that Might be Used to Determine their GMT Offsets?

We looked for other .doc files that Guccifer 2 might have modified and published – to confirm our understanding of the time zones where Guccifer 2 may have operated. We were only interested in documents that Guccifer 2 modified and then saved. Guccifer 2 posted approximately 135 separate files to his blog site. Of those, only 25 have internal “last saved” times that indicate that Guccifer 2 saved them some time after acquisition; by now, most of us know of his infamous proclivity to change the “last saved by” names to heroes and/or villains of past cultural revolutions. The 25 files modified by Guccifer 2 were uploaded in three batches (with the number of documents shown in parentheses: 2016-06-15 (11), 2016-06-18 (9), and 2016-07-06 (5).

Based upon a quick review of the 25 files that Guccifer modified, we conclude that [1-5].doc were the only legacy Word documents that Guccifer 2 changed and published. Therefore, we have no other documents upon which we can apply the Blake method to further establish the time zone offset that may have been in force when the documents were generated. (Note: Guccifer 2 did modify and publish some .docx files, but we cannot apply the Blake method to those.)

Did Guccifer 2 Anticipate the Blake Method?

To date, in our analysis, the one thing we have noticed that all five Word documents have in common is that their time zone offset can be calculated using the Blake method. For the first three documents, their source documents use the new .docx Open Office format; that format does not have the information (the “datastore”) needed to retrieve a UTC timestamp, which (per Blake) can then be compared to the wall time (local time) recorded in legacy .doc files. The datastore object was added when the source files were saved as RTF files.

Given that Guccifer 2 went to some trouble to save his first five documents in a legacy Word file format (RTF), which is a seldom used format, and that these legacy Word documents can be dated using the Blake method, we wonder if Guccifer 2 might not have been aware of this aspect of his first five Word documents? In the same sense that his attempts to pose as a Romanian hacker appeared intentional, we wonder if Guccifer 2 might not have known about the Blake method and deliberately saved those first five Word documents in a way that their time zone offsets might be determined?

A Quick Look at Guccifer 2’s Document Metadata

Some relevant metadata for Guccifer 2’s five documents are shown below.

A tab-separated file with the results listed above is here.

The fields highlighted in blue have values that are different from their matching source document.

Note: The “last modified by” value of “user” in 4.doc is different than in the source document – there it is spelled “User”.

The yellow highlighted fields (based on our analysis) were inherited from a file used as a template.

The “Save As (RTF)” operation in Word will reset the version number to “2”; both the Created and Last Modified dates will be identical; the Last Printed date will be inherited from the original. Thus, 4.doc and 5.doc appear to be the result of a “Save As (RTF)” operation with no subsequent edit operations.

Guccifer 2’s 4.doc is an Outlier of Sorts

As we can see from the metadata, 4.doc is a bit of an outlier.

It was created an hour earlier than the other four documents.

The “last saved by” field was not changed to “Феликс Эдмундович” as it was for the other four documents. Rather, it was changed from “user” to “User” and the Company name was changed to “Grizli777”.

The source document for 4.doc relates back to a document created during the Obama administration (2008).

Guccifer 1 disclosed (via The Smoking Gun) the 4.doc source document (as a PDF with an Comic Sans font) back in 2013.

This string, “CONFIDENTIAL DRAFT FOR REVIEW — 9/4/08” was removed from the source document page header; the word “SECRET” was added. See the comparison below.

The original Guccifer 1 disclosure (2013) left the “CONFIDENTIAL DRAFT …” line intact and did not add “SECRET”.

The “last printed” date from the original source document was preserved and appears in the final document. This helps confirm that this particular document was in fact the source document.

What is this Grizzly Doing in my Document?

As we saw above in the metadata tabulation for Guccifer 2’s Word documents, one of the documents (4.doc) had its Company name set to “Grizli777”. One researcher [@_fl01] was quick to notice this.

Mr. Wagner is right, Grizly777 shows up in bootleg copies of Office(tm) [h/t Adam Carter].

As we discuss below, there is another aspect of 4.doc (a +4 GMT time zone offset in force when the document was created) that is consistent with the theory that a separate computer (probably a VM) was used to create 4.doc. A cracked version of Office(tm) may have been installed on that computer, along with an outdated (also cracked) version of Windows XP.

We note in passing that any computer forensics expert who came up through the ranks, starting as a hacker in their misspent teen years, would have quickly noticed Grizli777 as an indication that the document may have been generated on a system where cracked software was installed. Although Wagner suggests that this cracked software is popular with Russians and Romanians, it is more accurate to say that cracked software is popular with hackers (and others) worldwide. Nevertheless, a forensics expert might view this cracked software as an indication that the system where 4.doc was generated was used by a hacker, as Florian did.

Does Grizli777 Also Hack Elections?

Did Grizli777 give up cracking software and then take up hacking elections? Perhaps instead, this unlucky author added his “Company Name” to the cover page? Is he Russian or Romanian? It doesn’t seem so.

Our point, here, with this anecdote is that the cracked version of Windows Office is not reserved for use by Russians and Romanian hackers.

Russia and Ukraine Time Zone Changes, Circa 2014

In 2014, Eastern Ukraine switched to Moscow Standard Time, and Moscow eliminated Daylight Saving Time.

However, Western Ukraine and a big part of Central Europe, including Bulgaria and Romania do honor DST and therefore would have their clocks set to GMT+3 during the summer. In the map below, everything in yellow uses the GMT+3 time offset during the summer months (courtesy, Wikipedia, with enhancements for GMT+2 using DST).

Guccifer 2’s Fourth Document (4.doc) was Likely Created on a VM with Moscow Time Zone Settings

We launched a VM with Windows XP installed on it, and then set the time zone to Moscow Time; we left the “Automatically adjust clock for daylight saving changes” box checked (the default).

We then ran “Cygwin” (a Unix emulation layer that runs on Windows) and ran a few commands to demonstrate that Windows XP used time zone tables that had not been updated to reflect the Moscow time zone changes that were implemented in October, 2014. Windows XP maintenance ended on April 8, 2014; it is a reasonable assumption that they did not update the Moscow time zone information.

In this demonstration, we took advantage of the fact that Cygwin had been updated subsequent to October 2014. There are other ways to demonstrate this anomaly; this serves our purpose and was easy to do given the tools and programs that were already installed.

We ran the Windows commands ‘date /t’ and ‘time /t’ and compared the result to Cygwin’s ‘date’ command. As shown, Windows is an hour ahead of actual time, because Windows XP is using outdated information.

This simple experiment demonstrates that the GMT+4 time zone offset observed for 4.doc was likely the result of creating 4.doc on a VM running Windows XP, perhaps a cracked version of XP, as we might intuit from Grizli777 in the “Company” name metadata value.

4.doc Was Likely Written on a Purpose-Built VM

We think that this VM was likely purpose built, because the user did not manually adjust the time zone offset (the easiest method would be to uncheck the “Automatically adjust clock for daylight saving changes”). The other four documents were written with GMT+3 in force; if we assume that they were written in the MSK time zone, then either a more modern, updated OS was installed, or the user manually adjusted his time zone settings. This manual adjustment would be expected because the incorrect time zone setting would be apparent to the user whenever the DST change occurred. Given that the time zone offset was left uncorrected, we are inclined to think that the VM had not been set up for very long, and therefore was likely purpose built.

Guccifer 2 Telegraphed his Russian Time Zone

The following observations might lead an analyst to conclude that Guccifer was operating in a Russian time zone (and not simply a GMT+3 time zone, which covers a much wider area).

The Blake method indicates that 4.doc was written on a system with GMT+4 time zone settings in force. (In 2016, the Moscow/Western Russia (MSK) time zone no longer implemented Daylight Saving Time – Western Russia was on GMT+3 time.)

The Company Name value of Grizli777 suggests the use of cracked software, in this case a cracked version of Word 2007.

If the Word application is cracked, then the OS might also be cracked. The cracked Windows OS of choice would be Windows XP.

Support for Windows XP was withdrawn in April, 2014 and Western Russia and Eastern Ukraine dropped Daylight Saving Time in October 2014. It is reasonable to assume (and we confirm this in our tests) that this DST change was never made in this cracked version of Windows XP.

This unique collection of observations leads to the conclusion that 4.doc was created on a system with Moscow (Western Russia) time zone settings in force.

Given that Guccifer 2 went to some trouble to create 4.doc on a purpose built VM with settings that suggested the use of cracked software combined with the GMT+4 time zone offset – we wonder if Guccifer 2 intended to “telegraph” the fact that 4.doc was written on a system with Russian time zone settings in effect? If not, why did he bother to make a trivial change to 4.doc on this one particular system (VM)?

Last Saved Time on Guccifer 2’s first 25 Documents Suggest GMT+3 Working Hours

Over the course of about four months (beginning June 15, 2016), Guccifer 2 uploaded approximately 150 documents to his blog site. However, based on “last saved” times, Guccifer only modified and uploaded about 25 documents; the rest were uploaded as is. We can plot the hour that those 25 Office documents were saved in a histogram (shown below).

This histogram seems to support the conclusion that Guccifer worked on those 25 documents during GMT+3 (Central Europe and Western Russia) working hours. However, as we show in the following section, there is at least one important data point that strongly contradicts this conclusion.

Guccifer 2’s West Coast Fingerprint

Matt Tait (@pwnallthings), a security blogger/journalist, noticed [archive] a change revision entry in one of the Word documents published by Guccifer 2; this document was uploaded by Guccifer 2 in his second batch of documents, published on June 18, 2016. That document, named hillary-for-america-fundraising-guidelines-from-agent-letter.docx, had “track changes” enabled in Word; it recorded one of Guccifer 2’s changes that he made under the pseudonym, “Ernesto Che”.

In that tweet, Tait refers to this except from the raw Word document’s XML data.

Before diving into the XML, let’s open the document in Word and have a look at that change made by Guccifer 2.

We can see that Mr. Che inserted some spaces in “Kilroy was here” fashion. This document can be matched with an attachment to this email in the Wikileaks Podesta email collection. There it does not have “track changes” enabled – this is something that Guccifer 2 added.

The time shown is”12:56:00 AM”, or 56 minutes after midnight. The date is June 17, 2016 (two days after Guccifer 2’s debut). This agrees with the XML that Tait noted. Does it really, though? We will investigate further.

Let’s set our system’s time zone to UTC+00 (UTC and GMT are equivalent for our purposes), and have a look at the file’s properties. (After setting the system time zone explicitly, we need to exit Word and restart it for the change to take effect.) We select the “File” tab, then select “Info” and look at the panel on the right of the screen.

The document was last saved at 7:56 AM GMT. Notice that the minutes value is the same as that shown for the tracked change; they are seven (7) hours apart. Now that we have GMT set, we take another look at the ‘track changes” time. It is the same as when we had the Pacific time zone set (“12:56:00 AM”). What this tells us is that the track changes entry is expressed in local time not GMT. The file properties time is, however, expressed in GMT.

With this information, we could stop here and reach our final conclusion, but we will first dig a little deeper into the XML. We analyzed the document further; we correlated the timestamp on this change made by Guccifer 2 with the document’s last modified time. The first thing to know is that Word .docx files are encoded as a normal “Zip” file, that includes among other things several XML files. Our document looks like this after it is unzipped.

We are interested in docProps/core.xml, which has the file’s properties that we just viewed in Word and word/document.xml, which has the document’s main body text; it includes the track changes entry that Tait noticed.

Let’s turn to the document’s properties found in docProps/core.xml.

We notice that the time recorded is 07:56 “Zulu” (GMT). Referring back to the change history properties, we note that it states that the time is 00:56 AM — apparently 7 hours earlier. We note (based on our tests) that the change entry’s time is in local time, not “Zulu” time.

To confirm our observation that the change logs record local time, we ran a test on a VM running Windows XP with the time zone offset set to GMT+3. This is the environment that Guccifer 2 supposedly worked in when he created four of his first five Word documents. As an experiment, we open the same document that Guccifer 2 uploaded and add a single line of text to it. The document’s “modified” (last saved) time is 16:12 (GMT).

Next, we query the document’s XML for the change log information.

Here, we see a (local) time of 19:12 which is 3 hours later, as we would expect for a computer (VM) operating with GMT+3 time zone settings in force. This is how things should have looked if Guccifer 2 had made his change with GMT+3 settings enabled. Instead, we see a -7 (minus seven) hours offset from GMT.

Based on the original change log timestamp, which is 7 hours earlier than the document’s (GMT based) last modified time, we reach the following surprising conclusion.

Guccifer 2’s document, named hillary-for-america-fundraising-guidelines-from-agent-letter.docx, was saved on a computer which had Pacific Daylight Time (PDT) settings in force.

The PDT Finding Invalidates the Prior GMT+3 Findings

In the first part of this report, we documented our analysis, which provided support for the conclusion that Guccifer 2 may have been operating out of a GMT+3 time zone region. However, when we place that conclusion against our finding that a document uploaded by Guccifer 2 (in a similar time frame) was likely last saved in a location on the West Coast, US we have to question our GMT+3 findings.

We must now give serious consideration to the idea that all 25 documents (uploaded in three batches over the course of a month) were all generated on the West Coast, US. Guccifer 2 was possibly working on a VM and/or using a VPN that vectored through Romania or Russia. Here is how that shift will look if all 25 files were last saved on the West Coast (PDT).

For those who might suggest that Guccifer 2 intentionally planted his “West Coast fingerprint”, we ask: what was his motive? His first five documents appear to have been carefully crafted to send the message that they were generated somewhere in Russia, and his working hours appear to be consistent with that conclusion. Why would Guccifer 2 want to undo his hard work?

Closing Thought

SOURCE: The Forensicator


Last Update: 07/15/2018 14:53 +0300


INtell ButtonJAR2 Blog ButtonARTICLES55BOOKS55A

Interview ButtonIMAGES55CRobles6802


  Link to JAR2 Live Journal Account 

  Please help keep us going and make a donation Thanks to all supporters!

PayPal, Yandex, Qiwi, Сбербанк Sberbank Visa 4276 3800 4543 8756

Copyright JAR2 2003-2018 All Rights Reserved

Publishing Banned Truth Since June 06, 2003

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.