Profile picture
Jake Williams @MalwareJake
, 15 tweets, 3 min read Read on Twitter
I've been doing incident response for years. Let's talk about the "missing server" using, I don't know, how about facts? I've never worked an intrusion where we've had all the evidence we wanted. There's always logs missing, aged off, or deleted by the attacker. 1/n
In every case, we are forced to look at the data we have and then make judgments even with the missing data. We don't call the missing data a conspiracy - we call it business as usual. 2/n
I've worked plenty of cases with missing equipment - in every case there's evidence that the missing device actually existed. We've had missing laptops (DC logs). We've worked cases where whole servers went missing - there was evidence the servers were there. 3/n
It's not crazy to ask "is there missing data here?" That's what we do in an intrusion. Even when we confirm we're missing data, we ever hypothesize about what that missing evidence might tell us and then treat that as fact. That's preposterous. 4/n
It would be perfectly logical in an intrusion to ask "did we collect data from all servers or is one missing?" It would not be okay upon finding out we were missing data to say "That missing server contains exculpatory evidence." That's not how ANY investigation ever works. 5/n
There ARE times when investigators make assessments about what might be in missing evidence. But those assessments are never considered as evidence themselves. "Tell me what you think, tell me what you know, but always tell me which is which" - Colin Powell. 6/n
Here are some facts about the DNC investigation:
1. Crowdstrike imaged at least one compromised server and provided forensic data to the FBI
2. The FBI wasn't involved in the initial investigation
3. There's no evidence any servers are involved that haven't been imaged
Some cry foul that the FBI wasn't brought in at the beginning. I wouldn't have called the FBI either if it were my investigation. I don't call the FBI for breaches unless there's a specific reason (regulatory requirement, insurance underwriter says to, etc.). 8/n
The FBI is very good at what they do, but they are investigating crime to prosecute offenders and build cases. I'm trying to restore operations ASAP. DNC suspected this was a foreign nation state and Crowdstrike confirmed. You're not taking this one to trial. 9/n
DNC is under time pressure and every minute they spend with the FBI is a minute they aren't recovering and preparing for the election. I totally understand why they didn't call the FBI - it's counter to their goals of winning an election. 10/n
Add in the potential for leaks within the FBI (a VERY real concern) and that further justifies not calling. Ultimately the server images were provided to the FBI, but it's worth noting that even that wasn't a legal requirement. 11/n
Imagine the number of people who would have to be involved in a conspiracy to plant evidence against the Russians AND make a server with exculpatory evidence disappear. And none of them have talked? Um, yeah, that doesn't make sense... 12/n
In investigations, we talk about evidentiary dependence. All things equal, theories with dependence on fewer pieces of evidence are usually stronger. What's the evidentiary dependence for "the only server with exculpatory evidence was made to disappear?" 13/n
Don't just say "a server is missing." That's not entirely correct. More correct is "the only machine in the entire DNC network with exculpatory evidence is missing and there's no external evidence that said server ever existed." That's a huge stretch. 14/n
I hope this help explain the crux of this conspiracy claim. It's bunk through and through. To someone outside the DFIR filed, some of the actions by the DNC might look sketchy (e.g. not calling the FBI). In my actual experience in the field, it's completely normal. 15/15
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Jake Williams
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!