3 March 2020

Group-IB’s digital forensic experts presented the analysis of documents on the case involving Russian biathletes

An international cybersecurity company Group-IB that specializes in preventing cyberattacks, has analyzed the documents under the signature of former Moscow anti-doping laboratory director Grigory Rodchenkov. These documents were presented during the hearings in the Court of Arbitration for Sport (CAS) on the case involving Russian biathletes — Olga Vilukhina, Yana Romanova, and Olga Zaytseva. During the investigation, the experts established that the documents contained completely identical images with a signature on them, which were supposedly pasted to these documents from a different source. Similar conclusions have been reached by the British graphologists. This was reported by the lawyer of former biathletes, Alexei Panich, after the first day of CAS hearings in Switzerland.

The experts from international cybersecurity company Group-IB conducted digital forensic analysis of those files that were presented by the client — a law firm, Herbert Smith Freehills CIS LLP. The files provided for analysis were: «Exhibit 43 — Affidavit of Dr. Grigory M. Rodchenkov dated 12 November 2019.PDF» and «Exhibit R-64 — Affidavit of Dr. Grigory M. Rodchenkov dated 22 February 2020.pdf». These files were presented as part of today’s CAS hearings.

Digital forensic examination, conducted by GIAC (Global Information Assurance Certification) certified analysts, revealed that these are two different files from digital forensic standpoint. They have different metadata, such as file size, PDF Version in which they were created, and etc. At the same time, forensic analysis established that page 16 of the PDF file «Exhibit 43 — Affidavit of Dr. Grigory M. Rodchenkov dated 12 November 2019.pdf» and page 6 of the PDF file «Exhibit R-64 — Affidavit of Dr. Grigory M. Rodchenkov dated 22 February 2020.pdf» contain exactly identical, from digital forensic standpoint, element that can be extracted — an image with a signature.

These images have the same file size and hash value (unique fingerprints for files). Both images can be copied and extracted from the files. It is obvious that a person’s signature is always more or less the same, however, scanned signatures will always have minor differences. If the images with signatures are exactly identical, this means that this is most likely the same image, which was pasted to different documents or one image copied from one file and pasted to another.

Sergey Nikitin

Sergey Nikitin

Deputy Head of the Digital Forensics Lab at Group-IB

Group-IB is one of the leading providers of solutions aimed at detection and prevention of cyberattacks, online fraud, and IP protection. Group-IB Threat Intelligence system was named one of the best in class by Gartner, Forrester, and IDC.

Group-IB’s technological leadership is built on company’s 16 years of experience in cybercrime investigations all over the world and 60 000 hours of incident response accumulated in the largest forensic laboratory in Eastern Europe and a 24/7 CERT-GIB.

Group-IB is a partner of INTERPOL, Europol, and a cybersecurity solutions provider, recommended by SWIFT and OSCE. Group-IB is a member of the World Economic Forum.

Report an incident

24/7 Incident Response Assistance +65 3159-4398

Thank you for the inquiry! We will contact you soon.

We use cookies on the website to make your browser experience more personal, convenient and secure. You may block or manage the use of cookies, however, in some cases they’re essential to make this site work properly. Learn more about cookies in Group-IB Privacy And Cookies Policy.

Report an incident