Nerdpedes,
have a look at
https://security.stackexchange.com/questions/64915/what-are-the-biggest-security-concerns-on-pxe
Best of:
I can capture a full machine image. Do your systems automatically connect to the domain controller after setting up the machine? If so, this image probably has domain controller credentials on it, that I can capture and use elsewhere.
Computer makes a DHCP request --> DHCP server responds with address and PXE parameters --> Computer downloads boot image using TFTP over UDP
If the good guys got the traffic on that low level, unencrypted. Then they would have it all.
In over simplified terms, It allows you to ignore the onboard Operating configuration and instead of booting from the internal drive, it downloads another configuration or additional executables from over the network.
So a machine that has been audited can then have PXE enabled post audit to boot up an entirely different image or functions than which was audited.
However, in this scenario they would have to fake the logs on the built in OS for the required dates, otherwise it would be obvious it wasn't in use at the relevant time.
good point
Wasn't there something about missing/deleted logs a bit back? Maybe they were not deleted, but the logs are on a remote profile somewhere and would account for missing log entries? I am pretty ignorant of PXE boot so if the above is stupid feel free to call me out and correct please.
I would guess that if they were network booting the voting machines then the missing logs are part of the evidence the audits picked up.
The story I heard was that the logs are a finite size and someone had logged in well after the election and had caused many records to be written to the log. That caused the records from the election being "scrolled" off the top and lost.