by Wendi Strauch Mahoney at Uncover DC
The CyFIR Report on Friday showed the digital findings from Maricopa County’s forensic audit of the 2020 election. Founder Ben Cotton and his team allegedly found instances of cybersecurity breaches and malfeasance on the part of Maricopa County. Cotton remarked at one point in his presentation, “The election was neither accountable or secure.”
CyFIR’s founder, Ben Cotton, is no stranger to the world of digital forensics. “A technical visionary and pioneer in Cyber Security and Computer Forensics for the U.S. Government and the SOCOM,” Cotton’s bio states:
“[Mr. Cotton is a] twenty-one year veteran of the US Army, Special Operations Command (SOCOM). Mr. Cotton served in both unclassified and classified units fighting the Global War on Terrorism, specializing in sensitive site and digital device exploitation, Computer Network Attack (CNA), and Computer Network Defense (CND).”
Cyber Ninjas’ Vol. 3 “Result Details” shows the details of CyFIR’s findings. The malfeasance and possible criminal activity found by CyFIR shows significant cybersecurity issues; file and log deletions, dual boot hard drives, internet connections, overwriting of data—and the evidence to back up their findings. According to Cotton, neither of the two Maricopa County “audits” found evidence of internet connections.
Cybersecurity issues found by CyFIR were:
- The Maricopa County 2020 election was breached.
- No security patches done in two years since the purchase of the system.
- No anti-virus updates in two years since installation.
- Same name, same password with Admin privileges throughout the system for the entire County.
- The oldest date on the security log was 2/5/2021, with no inclusion of the election period.
- The County did not provide Windows Security Logs.
- Dual, bootable hard drives were found internally in the system, both bootable to different configurations.
- One of the hard drives included outside information from Washington State and South Carolina.
Additionally, CyFIR found “clear intentional overwriting of the security logs by the EMSADMIN Account.” CyFIR stated they have video footage of who was at the keyboard when the files were deleted.
File deletions were numerous on two drives and three of four HiPro Scanners:
- 865 directories and 85,673 election-related files were deleted between 10/28/20 and 11/05/20 from the EMS C:\ Drive.
- 9,571 directories and 1,064,746 election-related files were deleted between 11/01/20 and 03/16/21 on the EMS D:\ Drive.
- HiPro 1 Scanner, 304 directories and 59,387 files containing election data were deleted on 03/03/21.
- HiPro 3 Scanner, 1,016 directories and 196,463 files containing election data deleted on 03/03/21.
- HiPro 4 Scanner, 981 directories and 191,295 files containing election data deleted on 03/03/21.
59 EMS listening ports were open on the server and SQL logs indicate that general election results were purged from EMS on February 1st, 2021. Cotton stated they were purged, “right before the two audits performed by the County were due to commence.”
Ben Cotton, CEO of CyFIR: A script was run multiple times to intentionally overwrite the security logs, including the day before the auditors received the system.
**They have screenshots of Maricopa county people at the keyboards at the times they were deleted.** pic.twitter.com/s2JNk2TWSy
— Zeno Calhoun (@zenoc_oshits) September 24, 2021
Ben Cotton explained:
“If you look at that last bullet—first-in, first-out (FIFO) approach—all of a sudden it becomes readily apparent as to what happened on these distinct dates.
So on each of these dates, an individual executed a script, and that script repeatedly looked for a blank password for all of the accounts on the system. Depending on the system, there were only about 16 accounts that were present on a given system. So this script was run multiple times.
On 2/11, 462 log entries were overwritten by this script. on the 3rd of March, 37,686 log entries were overwritten by this same script— On the 12th, which is the day before we received the system, there were 330 log entries overwritten by that script.
Now, the challenge here is that I know that this occurred. I know which account did it. It was the EMS Admin account.
If you reflect back to what I just said about the lack of accountability of assigning that username to an individual—it now becomes extremely difficult to prove who did it. Luckily, we happen to have some historical data from MTEC video feeds—and so we leverage that data to backtrack and align these times and we have captured screenshots of Maricopa County people at the keyboards during those time periods.”
Cotton’s full presentation begins at the 30-minute mark…Continue Reading