Wednesday, October 13, 2021

Fact check: that "forensics" of the Mesa image is crazy

Tina Peters, the elections clerk from Mesa County (Colorado) went rogue, creating a "disk-image" of the election server, and posting that image to the public Internet. Conspiracy theorists have been analyzing the disk-image trying to find anomalies supporting their conspiracy-theories. A recent example is this "forensics" report. In this blogpost, I debunk that report.

I suppose calling somebody a "conspiracy theorist" is insulting, but there's three objective ways we can identify them as such.

The first is when they use the logic "everything we can't explain is proof of the conspiracy". In other words, since there's no other rational explanation, the only remaining explanation is the conspiracy-theory. But there can be other possible explanations -- just ones unknown to the person because they aren't smart enough to understand them. We see that here: the person writing this report doesn't understand some basic concepts, like "airgapped" networks.

This leads to the second way to recognize a conspiracy-theory, when it demands this one thing that'll clear things up. Here, it's demanding that a manual audit/recount of Mesa County be performed. But it won't satisfy them. The Maricopa audit in neighboring Colorado, whose recount found no fraud, didn't clear anything up -- it just found more anomalies demanding more explanation. It's like Obama's birth certificate. The reason he ignored demands to show it was that first, there was no serious question (even if born in Kenya, he'd still be a natural born citizen -- just like how Cruz was born in Canada and McCain in Panama), and second, showing the birth certificate wouldn't change anything at all, as they'd just claim it was fake. There is no possibility of showing a birth certificate that can be proven isn't fake.

The third way to objectively identify a conspiracy theory is when they repeat objectively crazy things. In this case, they keep demanding that the 2020 election be "decertified". That's not a thing. There is no regulation or law where that can happen. The most you can hope for is to use this information to prosecute the fraudster, prosecute the elections clerk who didn't follow procedure, or convince legislators to change the rules for the next election. But there's just no way to change the results of the last election even if wide spread fraud is now proven.

The document makes 6 individual claims. Let's debunk them one-by-one.

#1 Data Integrity Violation

The report tracks some logs on how some votes were counted. It concludes:

If the reasons behind these findings cannot be adequately explained, then the county's election results are indeterminate and must be decertified.

This neatly demonstrates two conditions I cited above. The analyst can't explain the anomaly not because something bad happened, but because they don't understand how Dominion's voting software works. This demand for an explanation is a common attribute of conspiracy theories -- the ignorant keep finding things they don't understand and demand somebody else explain them.

Secondly, there's the claim that the election results must be "decertified". It's something that Trump and his supporters believe is a thing, that somehow the courts will overturn the past election and reinstate Trump. This isn't a rational claim. It's not how the courts or the law works or the Constitution works.

#2 Intentional purging of Log Files

This is the issue that convinced Tina Peters to go rogue, that the normal Dominion software update gets rid of all the old system-log files. She leaked two disk-images, before and after the update, to show the disappearance of system-logs. She believes this violates the law demanding the "election records" be preserved. She claims because of this, the election can't be audited.

Again, we are in crazy territory where they claim things that aren't true. System-logs aren't considered election records by any law or regulation. Moreover, they can't be used to "audit" an election.

Currently, no state/county anywhere treats system-logs as election records (since they can't be used for "audits"). Maybe this should be different. Maybe you can create a lawsuit where a judge rules that in future elections they must be treated as election records. Maybe you can convince legislatures to pass laws saying system-logs must be preserved. It's not crazy to say this should be different in the future, it's just crazy to say that past system-logs were covered under the rules.

And if you did change the rules, the way to preserve them wouldn't be to let them sit on the C: boot-drive until they eventually rot and disappear (which will eventually happen no matter what). Instead, the process to preserve them would be to copy them elsewhere. The way Dominion works is that all election records that need to be preserved are copied over to the D: data drive.

Which means, by the way, that this entire forensics report is bogus. The Mesa disk image was only of the C: boot-drive, not of the D: data drive. Thus, it's unable to say which records/logs were preserved or not. Everyone knows that system-logs probably weren't, because they aren't auditable election records, so you can still make the claim "system-logs weren't preserved". It's just that you couldn't make that claim based on a forensics of the C: boot-drive. Again, we are in crazy statements territory that identify something as a conspiracy-theory, weird claims about how reality works.

System-logs cannot be used to audit the vote. That's confusing the word "audit" with "forensics". The word "audit" implies you are looking for a definitive result, like whether the vote count was correct, or whether all procedures were followed. Forensics of system-logs can't tell you that. Instead, they can only lead to indeterminate results.

That's what you see here. This "forensics" report cannot make any definitive statement based upon the logs. It can find plenty of anomalies, meaning things the forensics investigator can't understand. But none of that is positive proof of anything. If a hacker had flipped votes on this system, it's unlikely we would have seen evidence in the log.

#3 Evidence of network connection

The report claims the computer was connected to a network. Of course this is true -- it's not a problem. The network was the one shown in the diagram below:

Specifically, this Mesa image was of the machine labeled "EMS Server" in the above diagram. From my forensics of the network logs, I can see that there are other computers on this network:

  1. Four ICC workstations (named ICC01 through ICC04)
  2. Two Adjudication Workstations (named ADJCLIENT01 and ADJCLINET03, I don't know what happened to number 2).
  3. Two EMS Workstations (named EMSCLIENT01 and EMSCLIENT02).
  4. A printer, model Dell E310dw.
The word "airgapped" doesn't mean the EMS Server is airgapped from any network, but that this entire little network is airgapped from anything else. The security of this network is physical security, the fact that nobody can enter the room who isn't authorized.

I did my own forensics on the Mesa image and could find none of the normal signs that the server accessed the Internet, and pretty good evidence that most of the time, it was unconnected (it gets mad when it can't find the Internet and produces logs stating this). This doesn't mean I proved conclusively no Internet connection was ever made. It's possible that somebody will find some new thing in that image that shows an Internet connection. It's just that currently, there's no reason to believe the "airgap" guarantee of security was violated.

The claimed evidence about the "Microsoft Report Server" is wrong.

#4 Lack of Software Updates

This is just stupid. The cybersecurity community does have this weird fetish demanding that every software update be applied immediately, but there's good reasons why they aren't, and ways of mitigating the security risk when they can't be applied.

Software updates sometimes break things. In sensitive environments where computers must be absolutely predictable, they aren't applied. This includes live financial systems, medical equipment, and industrial control systems.

This also includes elections. It's simply not acceptable canceling or delaying an election because a software update broke the computer.

This is why Dominion does what they call a "Trusted Build" process that wipes out the boot-drive (deleting system-logs). To update software, they build an entire new boot image with all the software in a tested, known state. They then apply that boot disk image to all the county machines, which replaces everything on the C: boot-drive with a new version of Windows and all the software. This leaves the D: data drive untouched, where the records are preserved.

If you didn't do things this way, then sometimes elections will fail.

This is also why having an "airgapped" network is important. The voting machines aren't going to have software updates regularly applied, so they need to be protected. Firewalls would also be another mitigation strategy.

#5 Existence of SQL Server Management Studio.

This is just a normal part of having an SQL server installed.

Yes, in theory it would make it easy for somebody to change records in the database. But at the same time, such a thing is pretty easy even without SSMS installed. One way is command-line scripts.

#6 Referential Integrity

This "referential integrity" is a reliability concern, not an anti-hacking measure. It just means hackers would need only an extra step if they wanted to delete or change records.


Evidence is something that the expert understands. It's something they can show, explain, and defend against challengers.

This report contained none of that. It contained instead anomalies the writer couldn't explain.

Note that this doesn't mean they weren't an expert. Obviously, they needed enough expertise to get as far as they did. It's just a consequence of conspiracy-theories. When searching for proof of your conspiracy-theory when there is none, it means going off into the weeds past your are of expertise.

Give that forensics image to any expert, and they'll find anomalies they can't explain. That includes me, I've posted some of them to Twitter and had other experts explain them to me. The difference is that I attributed the lack of an explanation to my own ignorance, not a conspiracy.

At some point, we have to call out conspiracy-theories for what they are. This isn't defending the integrity of elections. If it were, it'd be proposing solutions for future elections. Instead, it's an attack on the integrity of elections, fighting the peaceful transfer of power by unfounded conspiracy-theory claims.

And we can say this objectively. As I stated above, there's three objective tests. These are:
  • Anomalies that can't be explained are claimed to be evidence -- when in fact they come from simple ignorance.
  • Demands that something needs explaining, when it really doesn't, and which won't satisfy them anyway.
  • Statements of a world view (like that the election can be "decertified" or that system-logs are "election records") that nobody agrees with.

1 comment:

Anonymous said...

This is really nice, and it's worth reading this blog. Thanks for sharing this information, keep sharing and keep updating us like this. Also you can check out the information about DMARC or email security on