Group-IB’s digital forensic experts presented the analysis of documents on the case involving Russian biathletes

An international cybersecurity company Group-IB that specializes in preventing cyberattacks, has analyzed the documents under the signature of former Moscow anti-doping laboratory director Grigory Rodchenkov. These documents were presented during the hearings in the Court of Arbitration for Sport (CAS) on the case involving Russian biathletes Olga Vilukhina, Yana Romanova, and Olga Zaytseva. During the investigation, the experts established that the documents contained completely identical images with a signature on them, which were supposedly pasted to these documents from a different source. Similar conclusions have been reached by the British graphologists. This was reported by the lawyer of former biathletes, Alexei Panich, after the first day of CAS hearings in Switzerland.

The experts from international cybersecurity company Group-IB conducted digital forensic analysis of those files that were presented by the client a law firm, Herbert Smith Freehills CIS LLP. The files provided for analysis were: «Exhibit 43 Affidavit of Dr. Grigory M. Rodchenkov dated 12 November 2019.PDF» and «Exhibit R-64 Affidavit of Dr. Grigory M. Rodchenkov dated 22 February 2020.pdf». These files were presented as part of today’s CAS hearings.

Digital forensic examination, conducted by GIAC (Global Information Assurance Certification) certified analysts, revealed that these are two different files from digital forensic standpoint. They have different metadata, such as file size, PDF Version in which they were created, and etc. At the same time, forensic analysis established that page 16 of the PDF file «Exhibit 43 Affidavit of Dr. Grigory M. Rodchenkov dated 12 November 2019.pdf» and page 6 of the PDF file «Exhibit R-64 Affidavit of Dr. Grigory M. Rodchenkov dated 22 February 2020.pdf» contain exactly identical, from digital forensic standpoint, element that can be extracted an image with a signature.

These images have the same file size and hash value (unique fingerprints for files). Both images can be copied and extracted from the files. It is obvious that a person’s signature is always more or less the same, however, scanned signatures will always have minor differences. If the images with signatures are exactly identical, this means that this is most likely the same image, which was pasted to different documents or one image copied from one file and pasted to another.

Sergey Nikitin
Sergey Nikitin

Deputy Head of the Digital Forensics Lab at Group-IB

About Group-IB

Group-IB, with its headquarters in Singapore, is one of the leading providers of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigating high-tech crimes, and protecting intellectual property. The company’s Threat Intelligence and Research Centers are located in the Middle East (Dubai), the Asia-Pacific (Singapore), and Europe (Amsterdam).

Group-IB’s Unified Risk Platform is an ecosystem of solutions that understands each organization’s threat profile and tailors defenses against them in real-time from a single interface. The Unified Risk Platform provides complete coverage of the cyber response chain. Group-IB’s products and services consolidated in Group-IB’s Unified Risk Platform include Group-IB’s Threat IntelligenceManaged XDRDigital Risk ProtectionFraud ProtectionAttack Surface ManagementBusiness Email ProtectionAudit & ConsultingEducation & TrainingDigital Forensics & Incident ResponseManaged Detection & Response, and Cyber Investigations.

Group-IB’s technological leadership and R&D capabilities are built on the company’s 19 years of hands-on experience in cybercrime investigations worldwide and more than 70,000 hours of cybersecurity incident response accumulated in our leading DFIR Laboratory, High-Tech Crime Investigations Department, and round-the-clock CERT-GIB.

Group-IB is an active partner in global investigations led by international law enforcement organizations such as Europol and INTERPOL. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3) Advisory Group on Internet Security, which was created to foster closer cooperation between Europol and its leading non-law enforcement partners.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to protect its clients in cyberspace every day by creating and leveraging innovative solutions and services.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to fight high-tech crime while protecting our clients in cyberspace and helping them achieve their goals. To do so, we analyze cyber threats, develop our infrastructure to monitor them, respond to incidents, investigate complex high-tech crimes, and design unique technologies, solutions, and services to counteract adversaries.