We had technical difficulties getting started and had communication issues due to server attacks on our communication lines and the instability of the public live streams. People were asking why we didn’t run tools on the data. It is because we were not remoted into a Windows server that had the image loaded; we had just mounted a forensic image of the files and were able to view the file tree and files only. Due to the setup of the forensic image, we were not able to run tools such as regedit, event viewers, or dll analyzers. We could not run the executable files inside the forensic image. We did not have a windows server setup with the image loaded due to obtaining the publicly available data at the last minute. There simply was not enough time to set up a server because the show was already scheduled and we wanted to do it live. We came across unprepared, and it is true in a sense because we had just obtained the data. It was my very first time looking at the data and I did not know what exactly would be found on the systems ahead of the event.
Interestingly, we did uncover a few critical things:
- There appeared to be web server logs that potentially indicate that the server was accepting and executing commands remotely.
- Election-related data pre-upgrade was not present on the machine post-upgrade. This indicates that election-related data was deleted or otherwise removed during the upgrade process.
- The server had a suspicious configuration script designed to remove server security, potentially opening the machine up to a network hack.
These issues warrant additional investigation.
I agree that the issues at hand warrant additional investigation, but the excuse of not having time to put up a windows server is kinda whack.
Settup is fine, getting all access per.issions, the image onto a workable executable environment, verifying security, opening up netwrok for Ron to work on it remotely....no bad idea to begin with. Let it sit in its natural state.
I'm feeling a bit strung along right now.