TrumpPutingate III: the beginning of the end

#10,751
#10,751
Mick said:
I loved XP. What "forensic"data was destroyed? Access logs intact, Data intact, so what is this "native forensic information" you think was destroyed?
Click to expand...

Read the very first link I put up about File slack, RAM slack, and drive slack. Transferring an NTFS image to a FAT32 backup should destroy all of the EOF slack garbage data for starters but I’m sure it mangles long file names also. The dreaded ~ truncated file names for example. Normally who cares. But if it’s for forensics that’s critical.

The tweet implied they changed file systems on the image. I have no idea if they did or not. But if they really did go from NTFS to FAT32 drive image integrity really wasn’t high on their list.


Either way it’s late and I’m done.
 
  • Like
Reactions: 2 people
#10,752
#10,752
NorthDallas40 said:
Read the very first link I put up about File slack, RAM slack, and drive slack. Transferring an NTFS image to a FAT32 backup should destroy all of the EOF slack garbage data for starters but I’m sure it mangles long file names also. The dreaded ~ truncated file names for example. Normally who cares. But if it’s for forensics that’s critical.

The tweet implied they changed file systems on the image. I have no idea if they did or not. But if they really did go from NTFS to FAT32 drive image integrity really wasn’t high on their list.


Either way it’s late and I’m done.
Click to expand...

The crime was stolen emails either remotely or locally. The garbage data that you want to focus on is old deleted emails, random bits of 1's and 0's. The forensic value from the slack data, for the crime of stealing emails, is non existent IMO. Investigators are to answer these questions" what was stolen, when was it stolen, how was it stolen and who stole it. The slack data is useless when trying to answer these questions. Now if they were investigating a crime in which deleted emails were the focus, the slack data has value. Not in this case though. Seems like you would like for them to open an investigation into their deleted emails without any probable cause because you are curious.
 
#10,753
#10,753
Mick said:
What would that tell you different? Just curious why do you and others think its not good enough.
Click to expand...

Forgot to point this out, and to keep it simple, the original server (hard drives) is needed because it’s used in a “read-only” device and secured to “compare” to later images. This is considered best practices with federal forensic investigations. Why are they substituting for the 2nd best option in an investigation of this magnitude? There are several other anomalies that are not standard practices. That’s why when you talk with rank and file FBI they can’t believe it.
 
#10,755
#10,755
Mick said:
The crime was stolen emails either remotely or locally. The garbage data that you want to focus on is old deleted emails, random bits of 1's and 0's. The forensic value from the slack data, for the crime of stealing emails, is non existent IMO. Investigators are to answer these questions" what was stolen, when was it stolen, how was it stolen and who stole it. The slack data is useless when trying to answer these questions. Now if they were investigating a crime in which deleted emails were the focus, the slack data has value. Not in this case though. Seems like you would like for them to open an investigation into their deleted emails without any probable cause because you are curious.
Click to expand...

First off it’s probably been over a decade since I even thought about FAT32 so I had to go relearn a bunch and still probably don’t have the lower details straight.

Second, what is being alluded (got it!) to here is either a) a less than stellar job of data management or b) a deliberate attempt to obfuscate the drives. Neither looks attractive for the FBI and probably goes to root cause of why the servers are being swept under the rug.

I remembered that USB sticks tend to be FAT32 while USB spinning drives tend to be NTFS so I
checked a couple this morning and yeah verily that is the case.

Data backup /= drive imaging. Totally different tasks with different expectations. Throwing data from a NTFS server to a FAT32 stick is fine to copy the data. It’s negligent to serve as an actual server image especially for forensic reasons and absolutely is in no way near equivalent to a “byte for byte” server image. That is the implied accusation being made in those tweets.
 
#10,756
#10,756
NorthDallas40 said:
First off it’s probably been over a decade since I even thought about FAT32 so I had to go relearn a bunch and still probably don’t have the lower details straight.

Second, what is being alluded (got it!) to here is either a) a less than stellar job of data management or b) a deliberate attempt to obfuscate the drives. Neither looks attractive for the FBI and probably goes to root cause of why the servers are being swept under the rug.

I remembered that USB sticks tend to be FAT32 while USB spinning drives tend to be NTFS so I
checked a couple this morning and yeah verily that is the case.

Data backup /= drive imaging. Totally different tasks with different expectations. Throwing data from a NTFS server to a FAT32 stick is fine to copy the data. It’s negligent to serve as an actual server image especially for forensic reasons and absolutely is in no way near equivalent to a “byte for byte” server image. That is the implied accusation being made in those tweets.
Click to expand...

Cloning would have been best but to say providing a FAT32 image and not a NTFS image is a "sec18 Felony", is well not accurate. Having access to the physical drives would be best but I thnk what was provided was sufficient for the investigation at hand.
 
#10,757
#10,757
Mick said:
Cloning would have been best but to say providing a FAT32 image and not a NTFS image is a "sec18 Felony", is well not accurate. Having access to the physical drives would be best but I thnk what was provided was sufficient for the investigation at hand.
Click to expand...

You’re inferring a lot and don’t have the information to back up that statement. You’re implying intent and you don’t know intent here. I can easily make a strong statement that if the intent is server forensic analysis then that requires a byte for byte copy. Thus if the content of those tweets is true (and I’ve stated repeatedly I don’t know if they are or not) then that is Micky Mouse and very damning for any useful data forensics the FBI would have performed on the server.


Did some more digging too. Some people claim the data copy came around the May timeframe and a Crowdstrike person is on record that they “completely rebuilt the servers” after the May timeframe. If that’s the case then a) somebody does need to go to jail for tampering and b) the servers have been rendered completely useless.
 
  • Like
Reactions: 1 person
#10,758
#10,758
NorthDallas40 said:
You’re inferring a lot and don’t have the information to back up that statement. You’re implying intent and you don’t know intent here. I can easily make a strong statement that if the intent is server forensic analysis then that requires a byte for byte copy. Thus if the content of those tweets is true (and I’ve stated repeatedly I don’t know if they are or not) then that is Micky Mouse and very damning for any useful data forensics the FBI would have performed on the server.


Did some more digging too. Some people claim the data copy came around the May timeframe and a Crowdstrike person is on record that they “completely rebuilt the servers” after the May timeframe. If that’s the case then a) somebody does need to go to jail for tampering and b) the servers have been rendered completely useless.
Click to expand...

Interesting.

Would you agree the original server (hard drives) is needed because it’s used in a “read-only” device and secured to “compare” to later images? This is considered best practices with federal forensic investigations; especially considering the magnitude of the allegations?
 
#10,759
#10,759
NorthDallas40 said:
You’re inferring a lot and don’t have the information to back up that statement. You’re implying intent and you don’t know intent here. I can easily make a strong statement that if the intent is server forensic analysis then that requires a byte for byte copy. Thus if the content of those tweets is true (and I’ve stated repeatedly I don’t know if they are or not) then that is Micky Mouse and very damning for any useful data forensics the FBI would have performed on the server.


Did some more digging too. Some people claim the data copy came around the May timeframe and a Crowdstrike person is on record that they “completely rebuilt the servers” after the May timeframe. If that’s the case then a) somebody does need to go to jail for tampering and b) the servers have been rendered completely useless.
Click to expand...

They created images in May and then they "rebuilt the servers" from the images in probably a virtual server after that and you think someone should go to jail for that? Really?
 
#10,760
#10,760
Vol0725 said:
Interesting.

Would you agree the original server (hard drives) is needed because it’s used in a “read-only” device and secured to “compare” to later images? This is considered best practices with federal forensic investigations; especially considering the magnitude of the allegations?
Click to expand...

Not my area of expertise so I’m just speculating and want to make that clear.

Now after that I would submit what should have happened is A) FBI cyber takes control of the hardware B) FBI cyber makes their own first hand image of the servers and validates that image. Not a copy, a byte for byte EXACT image clone C) the severs are retained in tact in that imaged condition and not returned to the owner until the investigation is complete.

I would guess C is negotiable to a degree but A and B has to happen for any credible forensics. There has been zero information to date to suggest A and B did occur.
 
#10,762
#10,762
Mick said:
They created images in May and then they "rebuilt the servers" from the images in probably a virtual server after that and you think someone should go to jail for that? Really?
Click to expand...

Why didn't they just turn original hard drives over?
Could the DNC use images and keep on working unimpeded?
 
#10,763
#10,763
NorthDallas40 said:
Not my area of expertise so I’m just speculating and want to make that clear.

Now after that I would submit what should have happened is A) FBI cyber takes control of the hardware B) FBI cyber makes their own first hand image of the servers and validates that image. Not a copy, a byte for byte EXACT image clone C) the severs are retained in tact in that imaged condition and not returned to the owner until the investigation is complete.

I would guess C is negotiable to a degree but A and B has to happen for any credible forensics. There has been zero information to date to suggest A and B did occur.
Click to expand...

Gotcha. That's why rank and file agents are stunned at the anomalies in this investigation. What took place, is not standard procedures.
 
#10,766
#10,766
You two are complete off base with your accusations that the DNC hack itself, gave to wikileaks, then tried to cover it up. Carry on.
 
#10,768
#10,768
Vol0725 said:
Yes.

To my knowledge Assange has never been proven wrong, he said it wasn't the Russians that leaked, so take it for what it's worth as there's mixed opinions on his integrity.
Click to expand...

I wasn’t aware of that detail.

For self preservation professional reasons I have purposely stayed away from Assange and any Wikileaks data. It has classified information that I don’t have the need to know. There are questions on an SF86 that relate the that kind of stuff and I’m not going to willingly put myself in a situation where I might lie. I just know what has been generally referenced in the media.
 
#10,769
#10,769
Mick said:
You two are complete off base with your accusations that the DNC hack itself, gave to wikileaks, then tried to cover it up. Carry on.
Click to expand...

That's one conspiracy, but I never said that.
You're missing the point, they did not turn over the hard drives. That's the #1 standard. Question is, why wasn't best practices applied in this major investigation?
 
#10,770
#10,770
Vol0725 said:
That's one conspiracy, but I never said that.
You're missing the point, they did not turn over the hard drives. That's the #1 standard. Question is, why wasn't best practices applied in this major investigation?
Click to expand...

You don't have a point. It's either trying to discredit the FBI or some deep state conspiracy. Who do you want to lock up and for what crime?
 
#10,771
#10,771
Vol0725 said:
That's one conspiracy, but I never said that.
You're missing the point, they did not turn over the hard drives. That's the #1 standard. Question is, why wasn't best practices applied in this major investigation?
Click to expand...

It’s probably moot at this point and will never be resolved. If the server data was indeed copied in this Mickey Mouse fashion and then the servers wiped and rebuilt the hardware has absolutely zero forensic value now and the original intact server image is forever gone unless somebody did a real server image and has it squirreled away.

And that would explain the less than zealous response from the FBI about trying to get it. At this point they’d really just want this to all just go away and be forgotten. I’d seriously doubt this was the result of the FBI cyber people though. They are world class.
 
  • Like
Reactions: 1 person
#10,772
#10,772
Mick said:
You don't have a point. It's either trying to discredit the FBI or some deep state conspiracy. Who do you want to lock up and for what crime?
Click to expand...

Nice diversion to my unbiased rational question, about the highest standard operating procedures not being followed.
 
#10,773
#10,773
Vol0725 said:
Nice diversion to my unbiased rational question, about the highest standard operating procedures not being followed.
Click to expand...


V5gv.gif
 
  • Like
Reactions: 1 person
New posts
You must log in or register to reply here.
Advertisement

Back
Top