Editor’s note: Below, we reproduce the introduction section of an article that was originally published by the Forensicator and is reprinted here with permission. The Forensicator’s latest analysis of Duncan Campbell’s smear piece, though technically intensive, is worth reading by everyone – not only the technically literate – who wish to understand the numerous inaccuracies in Campbell’s work from the Forensicator’s perspective.

Recently, Duncan Campbell published an article in Computer Weekly titled: Briton ran pro-Kremlin disinformation campaign that helped Trump deny Russian links [archive].  Mr. Campbell casts a wide net, pulling various people into his story of alleged pro-Kremlin conspiracy.  In this article, Forensicator will address Campbell’s sensational claims and theories about Forensicator’s identity, alliances, motives, and methods.  In short, Forensicator is not a GRU operative, not Adam Carter’s alter ego, and is not a pawn in Guccifer 2’s grand game of chess.

Forensicator is an anonymous online blogger who has written several reports which analyze various document dumps made by Guccifer 2.  Forensicator’s first report, Guccifer 2.0 NGP/VAN Metadata Analysis, was published July 9, 2017; Elizabeth Vos of Disobedient Media covered that report in an article titled, New Research Shows Guccifer 2.0 Files Were Copied Locally, Not Hacked.

The Forensicator’s first report went viral and has been covered widely by the legacy media, in alternative media, and in various social media venues.  Of particular note, a well-respected group of former US security professionals (the VIPS) published an article a few weeks later (July 24, 2017) in Consortium News, titled Intel Vets Challenge ‘Russia Hack’ Evidence.  The VIPS report was subsequently mentioned in an article published in The Nation, authored by Patrick Lawrence; that article (dated August 9, 2017) was titled A New Report Raises Big Questions About Last Year’s DNC Hack.  Lawrence’s article generated a lot of controversy which The Nation addressed in a follow up article (September 1, 2017) titled, A Leak or a Hack? A Forum on the VIPS Memo.  Recently (August 13, 2018), Patrick Lawrence published a one year retrospective, titled, ‘Too Big to Fail’: Russia-gate One Year After VIPS Showed a Leak, Not a Hack [Consortium News].

A journalist/blogger who goes by the pen name Adam Carter (@with_integrity on Twitter) runs a web site, g-2.space, which follows research related to the anonymous persona Guccifer 2.  Guccifer 2 has been linked to Russia’s GRU spy agency by US intelligence agencies and was highlighted more recently (July 13, 2018) in a DOJ indictment.

It seems that Carter may have unknowingly locked horns with Duncan Campbell in November, 2017 when Carter published an article critical of Campbell’s reporting .  Campbell co-authored an article with James Risen that was published in the Intercept under the title CIA Director Met Advocate of Disputed DNC Hack Theory — at Trump’s Request.  A month/so later, Campbell would begin a nine month quest to strip Carter’s anonymity.

Although the majority of Campbell’s article dwells on Carter’s background, there is some discussion of Forensicator’s research.  It seems that Campbell wanted to weave Carter and Forensicator into an elaborate pro-Kremlin plot to spread disinformation.  Campbell tells us that an objective of this plot was to seed conspiracy theories that linked a particular document dump published by Guccifer 2 with a DNC staffer who met an untimely death on July 10, 2016.  Campbell speculates that Guccifer 2 “manipulated” and “tampered” with the data to achieve this desired effect.

Campbell further suggests (without support) that Forensicator might be a persona invented by Carter and that Carter and Forensicator went into action when they received a “tip-off file” (a Word document) from an unnamed third party that Campbell implies might be pro-Kremlin; perhaps linked to a Russian spy agency (the GRU).

Forensicator notes that this “tip-off file” is a publicly accessible document found on Carter’s web site.  It is clearly labeled as being for “technical review only”.   Forensicator and Carter both recall that this document was intended for technical review by a qualified independent third party.  Forensicator also points out that a clearly labeled publicly accessible document is an unlikely form of covert communication from a state-sponsored intelligence organization.

A quick comparison between this “tip-off file” and Forensicator’s final report shows us that this Word document is a working draft of the final report.  Campbell’s claim that neither Forensicator nor Carter wrote this document themselves is based upon the presence of a simple typo in a command line script found in Forensicator’s final blog.

In the discussion that follows, Forensicator goes to some trouble to demonstrate how that typo ended up in Forensicator’s blog.  It was a simple copy/paste error that had nothing to do with Forensicator’s alleged lack of technical skills.

Further, although Campbell suggests that Forensicator enhanced this “tip-off file” for “propaganda effect”, Forensicator demonstrates that as he continued to work on his final report, he in fact removed and changed text that might have been much more suggestive of an internal DNC leak.  Forensicator’s final report had a much lower “propaganda effect” than the draft document that Campbell calls the “tip-off file”.  Campbell’s claim is without merit.

Campbell tells us that a key component in the “Forensicator Fraud” was Guccifer 2’s decision to use an outdated version of a file archiving program, WinRAR.  It was the interaction between an outdated WinRAR zip file format and another zip file format (7zip) that led to Forensicator’s observation that the files in Guccifer 2’s final 7zip file had been written on the East Coast.

Forensicator tells us that hackers generally use cracked software and that these cracked programs are generally old and out-of-date.  In fact, there are indications in another document that Guccifer 2 published that showed that a cracked version of Office 2007 had been used (which is over 10 years old).  Guccifer 2’s decision to use an old cracked version of WinRAR was likely not a deliberate decision but rather a result of typical hacker behavior.  We do not know if Guccifer 2 is an actual hacker or not, but he generally acted like one.

Campbell’s conspiracy theory falls flat after Forensicator strips away the “tip-off file”, the typo in a command line, the use of an outdated version of WinRAR, and the alleged “propaganda effect”.

In a closing section, Forensicator addresses Campbell’s criticism of another report authored by Forensicator, Guccifer 2.0 CF Files Metadata Analysis.  Campbell takes exception with Forensicator’s conclusion, but can offer no counter-explanation other than Guccifer 2 must have “tampered” with the dates by subtracting one hour from them.  Campbell has no explanation for why Guccifer 2 would decide to tamper with the file dates in this way.

Forensicator points out that for the other Zip file that Forensicator analyzed Campbell took the opposite position that Guccifer 2 manipulated the metadata in a very specific and obscure fashion with a particular objective in mind.  Further,Campbell leaves out an important observation: The files were likely first written to a thumb drive.   Forensicator’s scenario incorporates that observation, Campbell ignores it altogether.

[Editor: Forensicator includes the following summary of his conclusions along with a closing thought.  We encourage the reader to review Forensicator’s full report which includes his detailed analysis.]

Closing Thought

Scottish Proverbs (James Kelly, 1771)


Leave a Reply