UPDATE: Someone pointed out, this being forensic software, it could be very walled off, sandboxed, etc, with no access to the file system, read only or not. The point being, my argument about not DIFF'ing, falls flat if there is no access by the file system. That said, I'm resourceful, I would find a way to dump the file structure somewhere, somehow. That's what they want right? Resourcefulness.
I don't know how many of you are IT guys, but for those that are... what the actual fuck is going on, on that stage?
I thought CodeMonkeyZ was supposed to be some computer savant or some shit... but he doesn't even know Windows? Really? Well, you sound like a lame Linux poseur then.
If you were not watching the same thing I was... they are looking like a group of monkeys trying to fuck a football. That's racist isn't it? Speciest? Monkeyist?
They have (at least) two images of the voting server. (Don't know why they call something that isn't supposed to connect to a network, a server, if anything it's a dumb client)
And CodeMonkeyZ the genius computer savant is strolling randomly through the files.
Bro, you're on international stream... DO SOMETHING!
They have a physicist, an IT guy, and CMZ... and not one of them know what the fuck they are doing up there.
Find the registry files... DIFF THEM!
DIFF the program files, (x86) and program data directories.
DIFF the user directories!
DIFF the FUCKING windows directory!
DIFF FUCKING SOMETHING!
DO AN ACTUAL BIT LEVEL SEARCH FOR STUFF, FFS!
The only hypothesis I can form is:
-
CMZ is a bullshitter, caught out on live stream.
-
They are flexing and flashing the files to scare (stupid collaborators) people into flipping, and aren't actually TRYING to do ANYTHING.
Oh, I'm also bothered by them being flummoxed over what I think I heard them talking about an IIS file from 1997? Uh, yeah. Win NT 4.0 SP1 came out in 1997.
I've got a nearly 20 year career in IT. I've been an admin, an engineer, an architect, and so on. I was just shaking my head through all of that. While eventually they stumbled upon something useful, they had no idea what they were actually looking at/for.
They should have immediately done a diff between the images to get a catalog of the things that were changed by the Dominion employee. Then go over those changes to see if anything is interesting. NEXT, start looking through the logs.
There was definitely something to the POST requests to the SOAP endpoint. SOAP is an older API standard that used XML for payloads (it was a huge pain in the ass to work with, BTW). That's been replaced by much less verbose standards like REST and JSON.
But those POST requests were active communication with the system. The logs didn't look like they contained much, if any, of the payload information. But you could dissect those SOAP services to find out what they do and what they're capable of.
FUCK this pissed me off. It looked so incompetent.
Exactly my thoughts, but someone pointed out, those images might be sandboxed in their app. And it might not have any extension into the file system, allowing a typical DIFF program to work.
Regardless... my next attempt would be to copy the files OUT of the sandbox, to a new folder on the system, to then DIFF and search inside the files.
Yep. A bit concerning it is left around. It can be powerful to a blackhat or bad actor.
Very odd too because; JUST FOR MY PERSONAL COMPUTER, I turn off/disable every service I never plan on using. Policy lockdown on work PCs.
It IS annoying that THIS could be the desired effect.
The most annoying aspect of Q-dom.