When I returned, I was given a flood of questions. Within the short time I was gone, the CE’s realized that there were no viable PCAPS and certainly none that lived up to the statement of China hacking the 2020 elections. Considering the 2 rooms were full of some of the most prominent PCAP experts in the US, Election experts like Harri Hursti, a person the Kurt Olsen said they did not even want there, I could not baffle them with BS. I explained to these two rooms that we as Red Team members came to the same conclusion, that we had not in fact seen any viable PCAP data as specified by Mike Lindell and that we had even voiced our objections. As the CEs looked through the data, I had provided of the supposed PCAPs, the Tina Peters data had arrived. The hard drive that was provided included 2 Encase files titled EMSSERVER01 and EMSSERVER, as well as PCAP files from 3 different County Clerk offices, Lake County, Clark County, and Mesa County. Also, there was a folder full of Election night reporting data that was acquired from Lake County in approximately Dec 2020. I took this information and handed it to selected members in the breakout room and let them start to look at that instead of the PCAPS which was a waste of their time. Considering that there was approximately $100,000 an hour of Cyber talent that were close to walking out of the Symposium. Using this data, the CEs began to look though the info and one of the experts even had a copy of Encase to be able to run forensic analysis of the data. Tuesday evening during a conversation in the Red Team room I talked to Tina Peters while sitting against the back wall of the conference room. Tole her how I was glad to have this work as it might be able to help me keep from having my house foreclosed on and was glad for the work. Time told me, oh don’t worry about all of that, Mike would pay off my mortgage. I looked at her and said oh no I couldn’t do that; I work for what I get. At the end of the day, I quickly left the building after what felt like a day of me being thrown under the bus by Waldron. I spent a few hours in the Red Team room where we discussed how Tina Peters would be out on Tuesday and we would do a walk though of the Encase files. I went to bed at approximately 3am again and woke up at 8am. I returned to the symposium to handle the CEs in the breakout rooms with the new information from the Mesa County Forensic Audit. Every time I provided data to the rooms the obvious naysayer was Harri Hursti, yet I felt I should act professional as I was working in a Professional capacity. As we started on Wednesday, I went between the two breakout rooms, the flood of questions, first about the PCAPs, as there were many who were still looking at the data and then information from the Mesa County files. The PCAPs from the 3 County offices somewhat confused a few within the rooms, yet I explained where they came from. The files all have forensic data showing that they were gathered by a laptop named CJH-mac-book. Conan James Hayes. As I listened to the finding from the CEs, Harri Hursti commented that he saw that the two Encase files looked like they came from 2 different machines. The UUID numbers were different, driver files were different, and he claimed that the missing data was put in a separate partition. After Harri told me this I went to the Green Room that Tina we in and asked her a few questions about what happened when they did the imaging. I asked her if the “trusted upgrade” was a software or hardware up grade, she specified that it was a software upgrade, and she was present when the upgrade took place. I asked her to clarify if the server was exchanged or just a software upgrade, she reiterated that it was a software upgrade. I returned to pick up my laptop as Ron was done with the walk through of the Mesa County images and then went back to the Breakout rooms. The large cyber expert breakout room with approximately 20 people in it were using FTK to view the files while the smaller room there was a gentleman in the smaller room that had Encase and the needed Dongle to run it and he began looking through the images. This gentleman would later be hired by Russ Ramsland and paid by Mike Lindell to do a forensic analysis of these images. His first name being Doug. After I was done working with the CEs I was asked to go on stage and start the walk through of the Mesa County images with Ron Watkins and Mark cook. My laptop was used with Team Viewer so that Ron could access the files on the large screens at the Symposium. After about 5 minutes of trying to get everything up and running, it was decided that I would move up to the control room and patch straight into the main sound and video board as there were communication problems. I went up to the main control room and got my laptop setup and running so Ron could do the walkthrough. With everything running successfully, I went back to check on the CEs in the breakout room. When I walked into the Breakout room there was a gentleman there named Kurt Wiebe, a known NSA whistleblower. I walked out of the Breakout room after about 15 minutes of fielding questions and saw Kurt Olson where I asked about Wiebe being in the building. He told me he had let him in the building and into the breakout room. I stepped outside to have a vape, talked to Pete Santilli, Brian (CANNCON) and talked on the phone. A moment of a break. While standing outside, Kurt Wiebe shows up and starts talking to me about how he was in the Breakout room giving all the people in there the run down on Dennis Montgomery and all the reasons he plays tricks, mostly to keep from losing his national asset status and talked about how he had scammed Arpaio and others over the years. A gentleman standing out front it seems overhears us talk and joined in our discussion. The gentleman at the end of our discussion then tells me he is a reporter for the Washington Times, a known conservative news paper and tells me he was writing a story then walks off. While still standing outside, less than 15 minutes later I go back inside where Kurt Wiebe meets me and tells me the re was a story about my comments that just hit the Washington times. He specifically told me that Michael Flynn called Mike Lindell and told him that the story had just hit the media. From that point on I had people left and right asking me questions. What I said who I talked to and so on. Kurt Olsen came back to me and told me they had spoken to the reporter and had a list of corrections that they asked of him. Kurt Handed me the reporters business card and demanded that I call the reporter to follow up on the specified corrections. I finished out at the symposium and went back to the hotel. I walked to a secluded area at the hotel and called the reporter, a gentleman named Joseph Clark who specified he was former Navy Intelligence. While in the Red Team Room, Kurt stated to me that I was restricted to the hotel till I left. That was at around midnight on Wednesday night. Afterwards I stayed up, doing my usual discussions with people that were down in the foyer and went to my room at 0300. When taking a HOT shower my shower had steamed so much it set off the Fire alarm, where I had to wait 45 minutes after drying off and the fire alarm going off in the hotel the entire time. Initial findings of the Mesa County EMSERVER images: • Ron Watkins (CodeMonkeyZ) joins the discussion remotely, although amidst several technical difficulties. They examine an election system drive image from Mesa County, Colorado, an election management system (EMS), which behaves like a mainframe for the voting system. They have two images: an earlier one that contains data and logs dating back to 2019, then another image that was taken after a “system update” whereby data is missing. All event logs and error logs are gone! What the technicians are trying to determine: “Why did they make these changes?” The previous data was “zeroed out and deleted”. The law of 22-month data retention is not happening. This appears to be a common issue. Every step should be completely tracked and made transparent. Hardly anyone can see (currently) what happens between when they vote and when it is stored and counted. • These systems should not be proprietary! Election systems are not covered by NIST standards. Why not? • The server image appears to contain a file created in 2016 and has been vulnerable since 2017, with a remote code execution (RCE) vulnerability. Voting systems containing this vulnerability were placed online. In total, he found 53 files that are vulnerable with a score of 7 or above on CVE chart - remote code executions. • When 3 security researchers reported the security issues to the vendor (possibly Dominion, or ES&S, or other), instead of the vulnerabilities being fixed, they were sent “Cease and Desist” letters. • Question is asked: How do we prove that machines were connected to the internet? o This can be done by creating a forensic image of a machine (prior to the logs being wiped, as they have in some other cases) o Otherwise, it’s possible to capture the traffic live, as it’s happening, for which they have some data • Apparently, the security experts presenting are having issues with their sharing platform being currently hacked, so they’re struggling to present • The technical presenters discover a VBS file in the inetpub folder that appears to be from 1997-1999 and contains commands to create processes (execute a program). This might be a concerning discovery. • They also look at log files that seem to show remote connects and HTTP requests. • They also discover a “remote file manager”, which is a potential security vulnerability, as it may allow a remote attacker to upload/download/change files on the machine. • A “RankChoiceStyle” file. Does Mesa County use rank choice voting? If not, why does this file reference RankChoiceStyle? Mesa County confirms that they do not use it but have been considering it for future use. • The log files show HTTP POST requests logged on election day, with a 200 OK response indicating it succeeded. Filename /EmsApplicationServer/RemoteFileManager.soap. This may be a normal part of the closed-network communication of the EMS server, or possibly contain a vulnerability – unconfirmed. • Editor’s note: the following Maricopa County EMS network diagram shows how it’s supposed to be connected: https://recorder.maricopa.gov/justthefacts/pdf/Maricopa%20EMS%20Diagram%20V2.pdf An EMS server (which it appears to be what is being examined) is connected to ballot tabulation machines and adjudication workstations, plus scanners and printers. These are all over a LOCAL network but are not supposed to be internet connected. We can’t tell if it’s internet-connected at this point. • Regardless of internet access, it seems that the issue that they’re trying to flag is that there were a lot of log files present on one date, and a lot of log files were gone after Dominion performed their “update”. “The logs folder is almost entirely GONE. At least 3 years of log files have been wiped. After the update, there’s only 3!” • Someone asks: “What about the deleted files, can they be accessed? Have the techs tried a file recovery yet?” No, since today’s the first time they’ve seen the data, it has not been attempted yet. • It appears as though when Dominion performed this so-called “system update” they may have decided to install a completely new disk image rather than just a “patch” update. This does seem suspicious. If they wanted to cover their tracks this would be an excellent method and convenient excuse for doing so. It appears (although not confirmed) that they performed a full-disk image. If there was any intrusion or malfeasance involved, this is the exact area of the disk that would be manipulated. • They ask: “Why would they perform a full-disk image during the recent update, but not on earlier updates?” That is particularly curious. The earlier log files are dated back 3 years, so previous updates did not appear to destroy them. • Ron looked into the adjudication client, and the configuration file and it’s parameters. It wasn’t clear from the presentation, but it’s possible that some or all of the adjudication client was removed in the “update”. • Officials need to ask: “Was the machine certified after the update?” If not, it is being run illegally on uncertified machines. • “There’s so much smoke here. There must be a fire. Something is wrong. And they’re blocking every attempt at figuring out what is wrong.” • A question was asked about whether the team was running a full virtual machine (VM) or just looking at a disk image. The image is currently just being explored and not “mounted” or running. As such they can’t run any programs (yet). They might, however, be able to explore the Windows registry if they exported the files and opened them in another tool or editor. • They discover that there were previously 2 disk partitions and now there are 4. • There were claims that a machine like this appears open to having additional operating systems installed, creating a back-door entry into the system • Strangely Dominion seems to have deleted the old SQL Server databases in the second image, meaning most (or all) of the election data may be missing from the second one. • They find a script (a Windows batch file) named “dehardening” which appears to reduce the security on the system for some (yet unknown) reason. The script was dated 10-19-2020, a couple of weeks prior to the election. A dehardening script would normally exist alongside a hardening script too (since you normally reduce a system’s security for a brief time only to apply some kind of upgrade). It’s quite unusual to not have a combination of scripts, or to leave a system unhardened. • It’s clear that there needs to be a detailed cyber forensic audit of these servers. • It was Dominion employees who visited the county – and they were the ones who coordinated the “updates” of the machines • According to the whistleblower, Dominion was visiting every county in late spring / early summer • They come across a file Remove restrictions.bat - that sounds bad. • Someone finds an “adjudication key” file present on the Windows desktop (for which user was not clear, but it seems very insecure). Editor’s note: Researchers can obtain the 17GB disk images via the following torrent magnet links (you will need a Bittorrent client).