Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
Robert Graham 𝕏 Profile picture
Robert Graham 𝕏
@ErrataRob
Created (BlackICE,IPS,sidejacking,masscan). Doing (blog,code,cyber-rights,Internet-scanning). @erratarob@infosec.exchange

Sep 15, 2021, 13 tweets

1/n Okay, nerds, when doing an audit on Windows or Android in order to prove "it wasn't connected to the Internet" during certain dates, what would you look for? I mention this because it's not a standard audit/forensics question.

2/n I mention this because of answering this question. I don't have confidence in the report partly because of my own limitations that I don't know how to do this.

3/ The report says this. The USB part is very good. But the rest is bad. I downloaded OSForenics and made sure: it doesn't have a specific module that deals with this question.

4/ "Windows event logs" would be the place to look, but looking on my own Windows machines, I can't find events that would conclusively tell me this.

5/ Windows probes for an Internet connection and can log successes, but I see logs for failures (indicating "not on the network") for machines that are indeed actively on the Internet.

6/ Ah! NTP! That seems to be the answer!!!! This seems to reliably work to see if day-by-day the computer has access to the Internet.

7/ DNS seems a bust. I think you have to enable logging specifically for it, that it's not enabled by default.

8/ In this case, "Windows Updates" logs aren't going to work, because Dominion systems have it disabled.

9/ So the next step is to investigate this with the Dominion EMS images provided at the cybersymposium. It doesn't have any NTP logs, because NTP is disabled.

10/ The Mesa County, Colorado system is similar to the Maricopa County, Arizona EMS system. A copy of the system image was leaked online during Mike Lindell's "Cybersymposium". Working with this system would tell us things like "NTP is disabled" that probably apply to Maricopa.

11/ MESA: well here's something that suggests the Mesa Count, Colorado server was connected to a network during the election. Error messages about not being able to contact a router ceased between Oct 16 and Dec 14.

12/ Prowling around other logs, I suspect the opposite is true, that a cable was plugged in during the other times (causing this fail message), but physically disconnected during the election (hence, not even trying to contact router).

13/ Which is a good example for when you are off the reservation into areas where you don't understand (as I am here): something you don't understand isn't evidence of your theory. There may be yet more explanations that explain it that you didn't consinder.

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling