Currently at the Cyber Symposium, they are comparing two forensic images of voting machines from Mesa County before and after a Dominion update.
Prior to the update, there were three years worth of election data stored in SQL databases, along with years worth of log files for all of the system processes.
After the update, all of the SQL databases were deleted, all of the log files were deleted. Not only were they deleted, but it appears they did a full system image instead of a simple update, as well as repartitioning the drives. This means any deleted data on the updated system is most likely unrecoverable with data recovery tools.
So already we have evidence of felony election law violations.
One of the logs in the before machine showed IPV6 connections to a supposedly air-gapped machine.
There appears to be 1990s era web hosting software on the new image.
They found a Dominion created batch file named “dehardening” on the computers that executes a series of commands when it is run.
The file:
- Overrides config on temp database
- Sets new trusted provider for the user
- Disables protections on the Dominion databases
- Disables encryption on all databases
- Restarts the database server software
- Writes registry entries for a program called SuperSocket. SuperSocket is a piece of server software that allows remote connections to machines, typically database servers.
The Mesa County Clerk is in attendance and wants an explanation from Dominion.
This is just what they found in a few hours of live review. As a software professional, my impression of the guys who were reviewing the data is that they were not well versed in this kind of analysis. If they had someone who was extremely competent in this kind of analysis, they would probably find even more. I’m interested to see what else they find on those systems.
update:
When I wrote this article, I could not read what was on the screen they were looking at. I wrote it based on what I could hear them saying. An engineer made a few counter arguments on Patriots.win:
- All data on the machines were wiped because they use Acronis to re-image the drives when applying an update to the system. This obviously erases all logs and databases on the system. This is standard IT procedure. if you are required to preserve the machine state prior to the re-imaging by law, then you should make a backup. You don’t send these machines back out into the field while keeping years and years of old records on them. That’s ridiculous. You start them over with a fresh image as standard.
- The IPv6 connections they showed all showed IPv6 addresses starting with fe80::. Those are link-local addresses, and do not show remote connections at all.
- The file from the 1990s only shows that that particular file has not changed since it was created in the 1990s. It does not show that the whole webserver was created in the 1990s. This is unsurprising, some files in a software system are so simple that they do not need updates for many years. The webserver itself is obviously very modern, as evidenced by its support for IPv6.
- The dehardening script sets a registry key under supersocketnetlib to disable forced encryption. This is a Microsoft SQL Server registry setting that only controls SSL connections to the SQL server. It has nothing to do with other types of access to the machine. Moreover, if the SQL server only accepts local connections, as it should on an election machine, then this is totally expected. There is no reason to enable SSL on a SQL server that doesn’t even accept remote connections. That’s just unnecessary overhead.
I believe he is correct because it sounds like he could clearly read the screen, otherwise he never would have known the IPs started with fe80.
That said, unless they took a forensic snapshot of the computer and saved it prior to reimaging it, that’s still felony destruction of election materials.
Watch here.
