DNC Hack and So Called The Missing Server

I’ve been doing incident response for quite some time now and there’s a lot a things that are not being put out there. So let’s talk about the “missing server” using, I don’t know, how about facts? I’ve never worked an intrusion where we’ve had all the evidence we wanted. There’s always logs missing, aged off, or deleted by the attacker. In every case, we are forced to look at the data we have and then make judgments even with the missing data. We don’t call the missing data a conspiracy, we just call it business as usual.

There are many many cases that have missing equipment and in every case there’s evidence that the missing devices actually existed. I’ve seen cases with missing laptops and even where whole servers went missing, there was evidence the servers were there.

It’s not crazy to ask “is there missing data here?” That’s what security experts who do incident response ask in an intrusion. Even when we confirm we’re missing data, we never hypothesize about what that missing evidence might tell us and then treat that as fact. That’s just absurd to assume. It would be perfectly logical in an intrusion to ask “did we collect data from all servers or is one missing?” It would not be okay upon finding out we were missing data to say “That missing server contains exculpatory evidence.” That’s not how ANY investigation ever works.

Here area a few facts about the investigation:

  1.  Crowdstrike imaged at least one compromised server and provided forensic data to the FBI.
  2. The FBI was not involved in the initial investigation.
  3. There’s no evidence any servers that were involved haven’t been imaged.

 

The FBI is very good at what they do, but they are investigating crime to prosecute offenders and build cases. The DNC was under a time constraint because they had an election to try and win. That’s most likely the reason they did not initially call the FBI. Ultimately the server images were provided to them but it’s also worth noting that even that wasn’t a legal requirement Imagine the number of people who would have to be involved in a conspiracy to plant evidence against the Russians AND make a server with exculpatory evidence disappear. And none of them have talked? Yeah, that doesn’t make sense.