Trumps Missing DNC Server Is Neither Missing Nor a Server
Donald Trump turns to right-wing conspiracy theories when hes cornered, and he was cornered on Monday. Standing feet away from Vladimir Putin at a press conference following their Helsinki tete-a-tete, a reporter challenged Trump to condemn Putin for Russias election interference, in front of the world. Instead, the world watched as the president of the United States took Putins side against his own Justice Department and his own intelligence agencies, and launched into a rambling discourse about Hillary Clintons emails and a supposedly missing DNC server that hides the truth about Putins innocence.
You have groups that are wondering why the FBI never took the server. Why didnt they take the server? Where is the server, I want to know, and what is the server saying?
The server is saying shut up.
The server Trump is obsessed with is actually 140 servers, most of them cloud-based, which the DNC was forced to decommission in June 2016 while trying to rid its network of the Russian GRU officers working to help Trump win the election, according to the figures in the DNCs civil lawsuit against Russia and the Trump campaign. Another 180 desktop and laptop computers were also swapped out as the DNC raced to get the organization back on its feet and free of Putins surveillance.
But despite Trumps repeated feverish claims to the contrary, no machines are actually missing.
Its true that the FBI doesnt have the DNCs computer hardware. Agents didnt sweep into DNC headquarters, load up all the equipment and leave Democrats standing stunned beside empty desks and dangling cables. Theres a reason for that, and it has nothing to do with a deep state conspiracy to frame Putin.
Trump and his allies are capitalizing on a basic misapprehension of how computer intrusion investigations work. Investigating a virtual crime isnt a like investigating a murder. The Russians didnt leave DNA evidence on the server racks and fingerprints on the keyboards. All the evidence of their comings and goings was on the computer hard drives, and in memory, and in the ephemeral network transmissions to and from the GRUs command-and-control servers.
When cyber investigators respond to an incident, they capture that evidence in a process called imaging. They make an exact byte-for-byte copy of the hard drives. They do the same for the machines memory, capturing evidence that would otherwise be lost at the next reboot, and they monitor and store the traffic passing through the victims network. This has been standard procedure in computer intrusion investigations for decades. The images, not the computers hardware, provide the evidence.
Both the DNC and the security firm Crowdstrike, hired to respond to the breach, have said repeatedly over the years that they gave the FBI a copy of all the DNC images back in 2016. The DNC reiterated that Monday in a statement to the Daily Beast.
The FBI was given images of servers, forensic copies, as well as a host of other forensic information we collected from our systems, said Adrienne Watson, the DNCs deputy communications director. We were in close contact and worked cooperatively with the FBI and were always responsive to their requests. Any suggestion that they were denied access to what they wanted for their investigation is completely incorrect.
The FBI declined comment for this story, but in testimony before the House Intelligence Committee last year, then-director James Comey said that Crowdstrike ultimately shared with us their forensics.
At that same hearing, Comey complained that the DNC didnt give the FBI direct access to the DNCs servers. Its unclear why Comey wanted the FBI operating on the DNCs live network, but if the DNC demurred it wouldnt be an unusual call, particularly five months before election day.
The FBI is looking to investigate and prosecute crimes, and were looking to return a system to operation as quickly as possible with minimal impact, said Rendition Infosecs Jake Williams, one of several incident response professionals interviewed for this story. I can tell you honestly that had I been part of that incident response, I would not have advocated calling in the FBI. Every minute the FBI spends keeping the actors in play, thats a minute I dont get back in prepping for the election. I would absolutely have shared images with them.
Kenn White, a security expert and former DHS adviser, agreed that the FBI wouldnt have expected direct access to DNCs computers, The FBI had one of the best cyber security firms in the world giving them forensics, and going in depth and reverse engineering to the byte level these implants and turning it over.
In some versions of the servergate conspiracy theory now espoused by Trump, nothing less than physical possession of the hardware will suffice, because Crowdstrike, a respected security firm helmed by a former senior FBI agent, might be part of the deep states efforts to frame Putin. White scoffs at that notion, noting that National Republican Congressional Committee is one of Crowdstrikes customers.
Ive done incident response for defense contractors and healthcare groups, this is all standard practice, said White. Its completely defensible in terms of best practices and what was going on.
Its also consistent with the Department of Justices electronic evidence manual, which recommends capturing images when practical even when the FBI is executing a search warrant against a uncooperative suspect. When the computers belong to a cooperating victim, seizing the machines is pretty much out of the question, said James Harris, a former FBI cybercrime agent who worked on a 2009 breach at Google thats been linked to the Chinese government.
In most cases you dont even ask, you just assume youre going to make forensic copies, said Harris, now vice president of engineering at PFP Cyber. For example when the Google breach happened back in 2009, agents were sent out with express instructions that you image what they allow you to image, because theyre the victim, you dont have a search warrant, and you dont want to disrupt their business.
Theres a final bit of evidence that the FBI got what it wanted from the DNC, and it was filed in the U.S. District Court in Washington, D.C. last Friday: 29-pages of inside details showing exactly how and when the GRUs hackers moved through the DNCs network on their mission to help Trump.
If the president really wants to know what the DNC server is saying, its all in the indictment against Putins hackers. He just has to listen.
Previous Post: 30 Crazy Facts About the Death of JonBenet Ramsey
Next Post: When It Comes to Tipping, Millennials Are Cheapest