There’s a lot more to the G2.0. altered documents than meets the eye. Part one compares the original docx with what became Guccifer2.0’s 1.doc. The only conclusion that most metadata is faked.
Part two looks at the sections of binary interspersed in the document. These contain many oddities like a “Confidential” watermark file that seems to be from the General Defence Intelligence Committee, the actual XML stylesheet that G2.0. used called “Стандартная” to be a fake Russian, and a mystery section of binary yet to be decoded.
Part three looks at the best evidence the documents have of Guccifer’s identity; a datastore that must have been created by G2.0. computer. It reveals that he has a specific developer’s kit on his computer MSXML SDK with a specific UUID, that could, if it was registered with Microsoft narrow down the search.
And finally part three also looks at timestamps which seem to suggest that the likely zone for the alteration of these documents was GMT +3, or EEST, which includes Romania.
Romania boasts the “most Dangerous Town on the Internet” Ramnicu Valcea. Sixty miles south of Ramnicu Valcea is the village of Cârcea where THCServers are located. They have been involved in DCLeaks.com, actblues.com, and ElectionLeaks.com. Is it too far-fetched to add Guccifer2.0.wordpress to the list?