So the DNC Server is Clearly Not Important to the Investigation

quote:

---

Decatur
re: Without the DNC server, what do we really know...Posted on 7/16/18 at 8:26 pm to tigerjoey
quote:
I called up Thomas Rid, professor of strategic studies at Johns Hopkins University’s School of Advanced International Studies to help explain the technical details behind this type of forensic investigation. Rid, who wrote a detailed explanation about why Russia was likely behind the DNC hack for Motherboard in July 2016, told me that “from a forensic point of view, the question of a server at this stage doesn’t make any sense.”

“To really investigate a high profile intrusion like the DNC hack, you have to look beyond the victim network,” Rid said. “You have to look at the infrastructure—the command and control sites that were used to get in that are not going to be on any server ... looking at one server is just one isolated piece of infrastructure.”

Even so, what CrowdStrike gave the FBI is likely better than if it had seized and analyzed a physical box.

“To keep it simple, let’s say there’s only one server. CrowdStrike goes in, makes a complete image including a memory dump of everything that was in the memory of the server at the time, including traffic and connections at the time,” Rid said. “You have that image from the machine live in the network including its memory content, versus a server that someone physically carries into the FBI headquarters. It’s unplugged, so there’s no memory content because it’s powered down. That physical piece of hardware is less valuable for an investigation than the onsite image and data extraction from a machine that is up and running. The idea a physical server would add any value doesn’t make any sense.”

What Rid means is that after a hack, some of the evidence of who did it and how they did it may be fleeting. It could be in the server’s memory, the RAM, and not stored on its hard drive. (Hackers use “fileless” malware precisely for this reason.) To preserve evidence in cases like these, incident responders need to make an image—essentially a copy of the server in that exact same state at that exact same time—so they can look at it afterwards. Think about this like when investigators take pictures of the crime scene or victim.

Lesley Carhart, principal threat hunter at the cybersecurity firm Dragos, told Motherboard that physical servers are rarely seized in forensics investigations.

"For decades, it has been industry-standard forensic and digital evidence handling practice to conduct analysis on forensic images instead of original evidence," she said. "This decreases the risk of corruption or accidental modification of that evidence."

I asked Rid if he thought it was suspicious that the DNC did not hand over the actual server to the FBI, and he said “no, not at all.”

“There’s nothing suspicious about the DNC’s behavior,” he said. “There were political reasons and skepticism on the part of the DNC to let the FBI have full visibility into what they do for various reasons during an ongoing election campaign.”

Rid likened any computer forensics investigation to that of a military planning campaign, sort of like a map. “You can connect the dots and the behavior,” he said. “You can show whoever hacked John Podesta also attacked the DNC, and also attacked Jake Sullivan, who worked for Hillary Clinton, and hundreds of other people on the campaign.”


Trump's Stupid ‘Where Is the DNC Server?’ Conspiracy Theory, Explained

---

quote:

---

no doubt obtained from the CIA

---

quote:

---

Im certain Crowdstike planted tags to make it look Russian, no doubt obtained from the CIA.

---

quote:

---

So what did Crowdstrike examine to determine a hack had occurred? How did they arrive at their conclusions? It seems it is essential to know this.

---

quote:

---

When CrowdStrike came to the DNC, it moved quickly. Using a system called Falcon, a two-megabyte agent installed on systems without the need for a reboot, it profiled every action that occurred at a programme level on the hundreds of machines owned by the DNC. One clue might be a programme behaving abnormally; it might be the unusual transfer of millions of documents. "We're not looking at any personal data, any documents or emails," explains Alperovitch. "We're just looking at what is being executed."

Every action at a system level on the DNC's computers was recorded and checked against CrowdStrike's bank of prior intelligence (the company processes 28 billion computer events a day). "Almost immediately, Falcon started lighting up with a number of indications of breaches of the DNC network," Alperovitch says.

One question had been answered: there was definitely someone rummaging around the DNC servers. But who? CrowdStrike checked its records, seeing whether the methods used for the hack matched any they already had on record. They did. Two groups, working independently, were secreting away information, including private correspondence, email databases and, reportedly, opposition research files on Donald Trump. "We realised that these actors were very well known to us," Alperovitch says. This is because of a handful of small but significant tells: data exfiltrated to an IP address associated with the hackers; a misspelled URL; and time zones related to Moscow. "They were called FANCY BEAR and COZY BEAR, and we could attribute them to the Russian government."

Both the groups had a long rap sheet. COZY BEAR - which had been inside the DNC's system since the summer of 2015 - had previously hacked the White House and the US State Department. FANCY BEAR - which had breached the network separately in April 2016 - had hacked victims across the world, including the German Bundestag. The vulnerabilities were quickly closed, but the damage had already been done.

---

quote:

---

Why not just hand over the servers now and eliminate this entire line of questioning?

---

quote:

---

It’s just not necessary. You are free move on from this line of questioning.

---

quote:

---

They don't want the government to find the truth.

Why isn't the government forcing them to hand over the servers?

---