Profile picture
Jake Williams @MalwareJake
, 15 tweets, 3 min read Read on Twitter
I've been doing incident response for years. Let's talk about the "missing server" using, I don't know, how about facts? I've never worked an intrusion where we've had all the evidence we wanted. There's always logs missing, aged off, or deleted by the attacker. 1/n
In every case, we are forced to look at the data we have and then make judgments even with the missing data. We don't call the missing data a conspiracy - we call it business as usual. 2/n
I've worked plenty of cases with missing equipment - in every case there's evidence that the missing device actually existed. We've had missing laptops (DC logs). We've worked cases where whole servers went missing - there was evidence the servers were there. 3/n
It's not crazy to ask "is there missing data here?" That's what we do in an intrusion. Even when we confirm we're missing data, we ever hypothesize about what that missing evidence might tell us and then treat that as fact. That's preposterous. 4/n
It would be perfectly logical in an intrusion to ask "did we collect data from all servers or is one missing?" It would not be okay upon finding out we were missing data to say "That missing server contains exculpatory evidence." That's not how ANY investigation ever works. 5/n
There ARE times when investigators make assessments about what might be in missing evidence. But those assessments are never considered as evidence themselves. "Tell me what you think, tell me what you know, but always tell me which is which" - Colin Powell. 6/n
More
Here are some facts about the DNC investigation:
1. Crowdstrike imaged at least one compromised server and provided forensic data to the FBI
2. The FBI wasn't involved in the initial investigation
3. There's no evidence any servers are involved that haven't been imaged
7/n
Some cry foul that the FBI wasn't brought in at the beginning. I wouldn't have called the FBI either if it were my investigation. I don't call the FBI for breaches unless there's a specific reason (regulatory requirement, insurance underwriter says to, etc.). 8/n
The FBI is very good at what they do, but they are investigating crime to prosecute offenders and build cases. I'm trying to restore operations ASAP. DNC suspected this was a foreign nation state and Crowdstrike confirmed. You're not taking this one to trial. 9/n
DNC is under time pressure and every minute they spend with the FBI is a minute they aren't recovering and preparing for the election. I totally understand why they didn't call the FBI - it's counter to their goals of winning an election. 10/n
Add in the potential for leaks within the FBI (a VERY real concern) and that further justifies not calling. Ultimately the server images were provided to the FBI, but it's worth noting that even that wasn't a legal requirement. 11/n
Imagine the number of people who would have to be involved in a conspiracy to plant evidence against the Russians AND make a server with exculpatory evidence disappear. And none of them have talked? Um, yeah, that doesn't make sense... 12/n
In investigations, we talk about evidentiary dependence. All things equal, theories with dependence on fewer pieces of evidence are usually stronger. What's the evidentiary dependence for "the only server with exculpatory evidence was made to disappear?" 13/n
Don't just say "a server is missing." That's not entirely correct. More correct is "the only machine in the entire DNC network with exculpatory evidence is missing and there's no external evidence that said server ever existed." That's a huge stretch. 14/n
I hope this help explain the crux of this conspiracy claim. It's bunk through and through. To someone outside the DFIR filed, some of the actions by the DNC might look sketchy (e.g. not calling the FBI). In my actual experience in the field, it's completely normal. 15/15
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Jake Williams
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @MalwareJake see all

Profile picture
Twas the night before Christmas and all over the ‘net,
Not a creature was stirring except China hacking Tibet.

The IPS were strung by the egress with care,
In hopes that St WannaCry soon would be stopped there.
1/n
The children were nestled all snug in their beds,
While IoT devices mined the dreams from their heads.

Mama with her EDR and I with my IDS
Were ready to tackle an infosec mess.

Down in the SOC there arose such a clatter,
I logged into my dashboard to see what was the matter 2/
This thing had better work, it cost so much cash.
But gosh darnit, I can’t use it until I update Adobe Flash…

Pondering the alarms I thought “Oh heck no!”
That’s because the threshold for alerting was configured so low.
3/n
Read 14 tweets
Profile picture
I certainly don't agree with everything in this thread, but it is very thought provoking nonetheless. I tell clients regularly that cyber security IS warfare if APT is in your threat model. We often fight nation state hackers with nearly infinite resources by deploying a CEH. 1/n
This obviously doesn't work. When you step back and look at resources that APT groups have, it's obvious they can comrpomise almost any organization. My favorite example is the China/Bit9 example. Picture being an attacker who can't get into a top tier target. 2/n
Now imagine that you think "Bit 9 is standing in our way, so we'll 'just' go comrpomise them." Um, that's a moonshot. Ask yourself:
1. What kind of organization dedicates resources to moonshots?
2. How many moonshots do we not know about?
3. How valuable was that target?
3/n
Read 7 tweets
Profile picture
I'm writing a new blog post but I need some help. We have a problem in the tech industry with consent vs. informed consent. Problems with confusing the two are not unique to infosec. Medicine has been practiced for millennia, but informed consent is at best ~50 years old. 1/n
Legalese terms of service can't be comprehended by a large percentage of a user base. Even if you understand what is being collected, do you understand how it will be used? A patient can't give informed consent without a discussion of risk. 2/n
Doctors don't routinely downplay risk in a procedure. This comes from two sources:
1. Liability
2. In most cases (electives are a counter-example), the doctor has a product (the procedure) the patient needs

These do not hold true in the technology field. 3/n
Read 7 tweets

Related threads

Profile picture
SO @MzenziNM claims I "stole his idea", he has been all over my timeline trolling with his chums abt a message he sent to me on the 19th December 2018 (21 Days Ago) so here are the #FACTS.

1: 19th December was easily one of the most brutal days at #FIAB as we were closing 20th
2: The LYTEE app (initially called GOPHER / MFANA till we changed) Was first discussed by myself and Pastor @seanmullens in Nov, as a growth using #FIAB tech that @afrikancoder @twenty_tin and Mzie have been already working on! same code, but send people not veg. 👇Video 1st Dec
3: I get literally 1000 messages a day, in my DM and in the filtered with people with "IDEAS". The most polite thing to do is BE POLITE! "cool" "awesome" "dope" are my usual "PROGRAMMED RESPONSES" Below is the CANNED response he got like everyone else.
Read 9 tweets
Profile picture
#Evidence
1. On June 18, 1957, after checking with Maulana Kalam Azad and Dr.Rajendra Prasad, Durga Das wrote the following line in his weekly column in The Hindustan Times, “if he (Nehru) is consciously trying to build anyone as his successor, he is building up his daughter.”
More #Evidence Mr. Tharoor-
2. Indira Gandhi went with Nehru to all political and administrative functions and got introduced to all the state leaders of the Congress party 🤔
#Evidence
3. Indira addressed election meetings, presided over Congress women’s committees, acted as hostess when Nehru entertained visitors and he took her with him when he traveled abroad😌
Read 6 tweets
Profile picture
I’m only posting breaking news/ hot takes/pithy rhetorical analysis/puns/selfies from #TribFest18 for the next few days.

Starting now.
At registration I’ve already run into two people I know—a former student who wants to go into publishing marketing (and working the @BookPeople table) & a former Aggie Agora speaker. Also bought @TheRickWilson’s book and hoping to find him irl so he can sign it for me!
Y’all! So excited to see @DLind @cjane87 & @mattyglesias talk about the weeds of Trump’s boarder wall. #TribFest18
Read 126 tweets
Profile picture
This is a thread to share my experiences throughout my undergraduate (UG) degree in economics at IIUM. I am hoping that with this sharing, it may inspire some of you and giving insight on how I manage to go through 4 years degree with this result
Short description of my academic achievement; I was one of the Royal Education Award (REA) recipient on 33rd IIUM Convocation. I would say REA is the highest university awards during convocation. It needs an excellent academic performance as well as curriculum.
Okay, let's start! Here are some of my experiences/strategy but not limited to on how I manage to succeed in my undergraduate study:
Read 58 tweets
Profile picture
Know what . I got thoughts and feelings and a lil time so I wan to play this one out for yall in public on real scale : This is n extension of what they already do , it's the long game of their language AND IMMIGRANTS HAVE BEEN TELLING YOU ALL FOR YEARS
If you want to see someone damn near black out in rage about immigration who is in it or has skin in the game? Say "moral turpitude" and watch languages and accents FLY
Now I expect folks who do this more serious to correct me but "moral turpitude" is how many legal residents post IIR RIRA got deported , and guess what it's connected to ?!?! Guess ?
Read 46 tweets
Profile picture
1/
 One of my favorite writers @ Caitoz

who I won't "Tag" in this Tweetstorm
because it will mess up her mentions

wrote an article about the Lying CIA, Coup, and Iran

I snarked back about Obama's 180 Bil
she didn't like that
but
I've read her article

medium.com/@caityjohnston…
2/
 One of the reasons
I thoroughly enjoy @ Caitoz
and strongly recommend her
is that she takes no prisoners, states her opinions, and provides facts

However, I dispute her version of Iran

So we shall discuss

medium.com/@caityjohnston…
3/
 Is @ caitoz Right"
She said I was spreading Falsehoods?

TBH, let's find out
If I can't provide a counter-arguments w/facts and sources
then that is upto to you to decide

But I will now review her article

"Line-By-Bloody-Line"

medium.com/@caityjohnston…
Read 48 tweets

Trending hashtags

#GodBlessTheUSA #people #Wikileaks #like #Lyme #nordicwashing #ChiefScienceAdvisor #day1 #Kavenaugh #science #northern #own #LostHighway #soon #Evidence #ThesePeopleAreStupid #LuckyGuy #NorthAmerica #Facts #Never #FACTS #never #historicalhottie #weinsteinscandal #online

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!