Thursday, March 09, 2017

FBI: what to look for in the Trump/AlfaBank connection

As CNN reports, the FBI seems to be looking into that connection between Trump and Alfa Bank. Here are some things to look for.

First, get your own copy of the logs from root name servers. I don't trust the source of the original logs. I suspect they've been edited in order to show a relationship with Alfa Bank. You've got lots of sources both inside government and in private industry that can provide a copy of these logs without a warrant. (Which sucks, you should need a warrant, but that's the current state of affairs).

Second, look at the server in question. It's probably located at 140 Akron Road, Ephrata, PA. What you are looking for are the logs of anything sent from the server during that time, specifically any e-mails.

Third, talk to Cendyn, and ask them what that server was used for during that time. Their current statement is that it was used by the Metron meeting software. In other words, they say that after they stopped using it to send marketing emails, they started using it for their meeting product. They seem a little confused, so it'd be nice to pin them down. Specifically, get logfiles indicating precisely what happened, and figure out how Metron works, what sorts of messages it will generate.

Fourth, talk to Cendyn, and ask them about customers of their Metron meeting software, namely who used it to arrange meetings with Alfa Bank or the Trump organization. My guess is that this is where you'll really get the juicy information, getting a list of what meetings happened when and who was invited.

Fifth, talk to Cendyn and get logfiles form their DNS servers to figure out who was resolving that domain name (mail1.trump-email.com) during that time period.

Sixth, ask Alfa Bank for logfiles from their DNS resolvers that would tell you which machines internally were generating those requests.

My guess is that all of this will come up empty. There's a coincidence here, but a small one. Much of the technical details have been overhyped and mean little.

1 comment:

Unknown said...

But CNN reports (in the linked article) that:

"Cendyn claims the Trump Hotel Collection ditched Cendyn and went with another email marketing company, the German firm Serenata, in March 2016. Cendyn said it "transferred back to" Trump's company the mail1.trump-email.com domain.

Serenata this week told CNN it was indeed hired by Trump Hotels, but it "never has operated or made use of" the domain in question: mail1.trump-email.com."

My brain hurts from looking into this matter.