Doc 1 – Part One: Manipulations, Fonts & Fakery

  • G2.0 metadata is fake
  • Russian stylesheet attached
  • The file was manipulated to make the metadata visible.
  • But we have a vital Guccifer2.0 breadcrumb

On Manipulations

On 11th March 2016  John Podesta clicked on a phishing email. On the 19th March his gMail was logged into via IP 134.249.139.239 (Ukraine, kyivstar.net broadband) and Vladimir Putin, or computer genius Donald Trump, or a band of Romanian digital-pick-pockets (choose appropriately according to your political affiliation) seized control of his gMail account.

Those email and documents later turned up at wikileaks in October 2016. So it’s only with hindsight that we can see that Guccifer’s 1.doc originates from this document (.docx file ) “12192015 Trump Report.docx” in the Podesta files.

.docx files are composite files, like a zip file. By renaming the file as a .zip we can unzip to see the XML files that make up the docx, which gives us the following XML tree:

├── [Content_Types].xml
├── customXml
│   ├── item1.xml
│   ├── itemProps1.xml
│   └── _rels
│   └── item1.xml.rels
├── docProps
│   ├── app.xml
│   └── core.xml
├── _rels
└── word
 ├── document.xml
 ├── fontTable.xml
 ├── media
 │   └── image1.png
 ├── numbering.xml
 ├── _rels
 │   └── document.xml.rels
 ├── settings.xml
 ├── styles.xml
 ├── theme
 │   └── theme1.xml
 └── webSettings.xml

And the document properties can be seen in the app.xml…

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Properties xmlns="http://schemas.openxmlformats.org/officeDocument/2006/extended-properties" xmlns:vt="http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes"><Template>Normal</Template><TotalTime>1</TotalTime><Pages>157</Pages><Words>130710</Words><Characters>716292</Characters><Application>Microsoft Office Word</Application><DocSecurity>0</DocSecurity><Lines>11019</Lines><Paragraphs>3160</Paragraphs><ScaleCrop>false</ScaleCrop><HeadingPairs><vt:vector size="2" baseType="variant"><vt:variant><vt:lpstr>Title</vt:lpstr></vt:variant><vt:variant><vt:i4>1</vt:i4></vt:variant></vt:vector></HeadingPairs><TitlesOfParts><vt:vector size="1" baseType="lpstr"><vt:lpstr></vt:lpstr></vt:vector></TitlesOfParts><Company></Company><LinksUpToDate>false</LinksUpToDate><CharactersWithSpaces>843842</CharactersWithSpaces><SharedDoc>false</SharedDoc><HyperlinksChanged>false</HyperlinksChanged><AppVersion>15.0000</AppVersion></Properties>

and core.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dcmitype="http://purl.org/dc/dcmitype/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><dc:creator>Dillon, Lauren</dc:creator><cp:lastModifiedBy>Tony Carrk</cp:lastModifiedBy><cp:revision>3</cp:revision><cp:lastPrinted>2015-12-16T07:58:00Z</cp:lastPrinted><dcterms:created xsi:type="dcterms:W3CDTF">2015-12-20T16:01:00Z</dcterms:created><dcterms:modified xsi:type="dcterms:W3CDTF">2015-12-20T16:01:00Z</dcterms:modified></cp:coreProperties>

Note that the authors are “Dillon, Lauren” and “Tony Carrk”, and that there’s no company listed, and that the create, modified (both 2015-12-20T16:01:00Z)  and last printed times (2015-12-16T07:58:00Z) are all in 2015.

The theme isn’t in Russian:

<a:theme xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" name="Office Theme"><a:themeElements><a:clrScheme name="Office">

There’s Custom XML, which contains a bibliography scheme and a UUID for it:

cat customXml/item1.xml 
<b:Sources SelectedStyle="\APA.XSL" StyleName="APA" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns="http://schemas.openxmlformats.org/officeDocument/2006/bibliography"></b:Sources>
$ cat customXml/itemProps1.xml 
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<ds:datastoreItem ds:itemID="{7394DE7E-FAED-42D7-8057-7F55D3010E52}" xmlns:ds="http://schemas.openxmlformats.org/officeDocument/2006/customXml"><ds:schemaRefs><ds:schemaRef ds:uri="http://schemas.openxmlformats.org/officeDocument/2006/bibliography"/></ds:schemaRefs></ds:datastoreItem>

{This customXML also appears in the binary of MSODatastore with the difference that the UUID in the original is 7394DE7E-FAED-42D7-8057-7F55D3010E52. The UUID in G2.0’s version (more details soon) is 8DC20819-F3E2-4B41-AB13-0098F82D255A.}

And finally we find an interesting font: APIHID+TimesNewRoman

<w:sig w:usb0="E1002AFF" w:usb1="C0000002" w:usb2="00000008" w:usb3="00000000" w:csb0="000101FF" w:csb1="00000000"/></w:font><w:font w:name="APIHID+TimesNewRoman"><w:altName w:val="Times New Roman"/><w:panose1 w:val="00000000000000000000"/><w:charset w:val="00"/><w:family w:val="roman"/><w:notTrueType/><w:pitch w:val="default"/>

Searches for APIHID (I’m guessing API for a Human Interface Device) brings up dodgy looking Chinese keyloggers (I wouldn’t click on these links..!). Searches for “E1002AFF” finds either a Java based docx manipulation program, or (most likely in my view) a library for Braille transcription.

It’s this unusual font, present both in the Podesta docx and the G2.0 doc, which confirms that they are the same document.

————————————————————————————————————

Therefore:

  1. Most, perhaps all, of the metadata in G2.0’s doc is fake.
  2. It may be a “blend” of two or even three documents, because other fonts and images not in the original are in G2.0’s version

————————————————————————————————————

The metadata in G2.0’s version must be fake:

{\info{\title _TITLE}{\author Warren Flood}
{\operator \'d4\'e5\'eb\'e8\'ea\'f1 \'dd\'e4\'ec\'f3\'ed\'e4\'ee\'e2\'e8\'f7}{\creatim\yr2016\mo6\dy15\hr13\min38}{\revtim\yr2016\mo6\dy15\hr14\min8}{\printim\yr2016\mo6\dy15\hr13\min45}{\version4}{\edmins2}{\nofpages231}{\nofwords124401}{\nofchars725602}
{\*\company GSA}

The author isn’t Warren Flood. The company isn’t GSA. The operator is not Felix Edmundovich.

The Authors are Lauren Dillon and Tony Carrk, which is confirmed by mal-formed hyperlinks in the document.

The metadata times however are more nuanced. Against them being correct is that; everything else is fake, and why on earth print a document you’ve just hacked..?! So if “last printed” is fake, the rest could also be fake.

However for them being correct is; a) they’re just before they were uploaded to the website, so that fits, and b) we’ll see later that the (infinitely harder to fake) Win32FileTime, gives a date and time to the minute but different hours..

In Doc1: Part Two we’ll look at these binary chunks found in Guccifer2.0’s version and what they all mean for the state of the planet.

6 thoughts on “Doc 1 – Part One: Manipulations, Fonts & Fakery

  1. Pingback: Doc 1: Part 3 … Back to Romania! | Loaded For Guccifer ~

  2. Outstanding post however , Iwas wanting to know iif you could write a litte more on this subject?
    I’d be very grateful if yyou could elaborate a little bit more.
    Thanks!

    Like

    Reply

Leave a comment