Forensicator: Guccifer 2.0 Returns To The East Coast by from DisObedient Media

Editorial Note: The Forensicator recently published a report, titled “Guccifer 2 Returns To The East Coast.” Forensicator provided the following introduction to his latest findings, reproduced here with the permission of the author.In this post, we announce a new finding that confirms our previous work and is the basis for an update that we recently made to Guccifer 2’s Russian Breadcrumbs.  In our original publication of that report, we posited that there were indications of a GMT+4 timezone offset (legacy Moscow DST) in a batch of files that Guccifer 2 posted on July 6, 2016.  At the time, we viewed that as a “Russian breadcrumb” that Guccifer 2 intentionally planted.

Now, based on new information, we have revised that conclusion: The timezone offset was in fact GMT-4 (US Eastern DST).  Here, we will describe how we arrived at this new, surprising conclusion and relate it to our prior work.

A month/so after publication, Stephen McIntyre (@ClimateAudit) replicated our analysis.  He ran a few experiments and found an error in our original conclusion.

We mistakenly interpreted the last modified time that LibreOffice wrote as “2015-08-25T23:07:00Z” as a GMT time value.  Typically, the trailing “Z” means “Zulu Time“, but in this case, LibreOffice incorrectly added the “Z”.  McIntyre’s tests confirm that LibreOffice records the “last modified” time as local time (not GMT).  The following section describes the method that we used to determine the timezone offset in force when the document was saved.

LibreOffice Leaks the Time Zone Offset in Force when a Document was Last Written

Modern Microsoft Office documents are generally a collection of XML files and image files.  This collection of files is packaged as a Zip file.  LibreOffice can save documents in a Microsoft Office compatible format, but its file format differs in two important details: (1) the GMT time that the file was saved is recorded in the Zip file components that make up the final document and (2) the document internal last saved time is recorded as local time (unlike Microsoft Word, which records it as a GMT [UTC] value).

