Account Share

 

Thread by @MalwareJake: "I've been doing incident response for years. Let's talk about the "missing server" using, I don't know, how about facts? I've never worked a […]"

, 15 tweets, 3 min read
I've been doing incident response for years. Let's talk about the "missing server" using, I don't know, how about facts? I've never worked an intrusion where we've had all the evidence we wanted. There's always logs missing, aged off, or deleted by the attacker. 1/n
In every case, we are forced to look at the data we have and then make judgments even with the missing data. We don't call the missing data a conspiracy - we call it business as usual. 2/n
I've worked plenty of cases with missing equipment - in every case there's evidence that the missing device actually existed. We've had missing laptops (DC logs). We've worked cases where whole servers went missing - there was evidence the servers were there. 3/n
It's not crazy to ask "is there missing data here?" That's what we do in an intrusion. Even when we confirm we're missing data, we ever hypothesize about what that missing evidence might tell us and then treat that as fact. That's preposterous. 4/n
It would be perfectly logical in an intrusion to ask "did we collect data from all servers or is one missing?" It would not be okay upon finding out we were missing data to say "That missing server contains exculpatory evidence." That's not how ANY investigation ever works. 5/n
There ARE times when investigators make assessments about what might be in missing evidence. But those assessments are never considered as evidence themselves. "Tell me what you think, tell me what you know, but always tell me which is which" - Colin Powell. 6/n
More
Here are some facts about the DNC investigation:
1. Crowdstrike imaged at least one compromised server and provided forensic data to the FBI
2. The FBI wasn't involved in the initial investigation
3. There's no evidence any servers are involved that haven't been imaged
7/n
Some cry foul that the FBI wasn't brought in at the beginning. I wouldn't have called the FBI either if it were my investigation. I don't call the FBI for breaches unless there's a specific reason (regulatory requirement, insurance underwriter says to, etc.). 8/n
The FBI is very good at what they do, but they are investigating crime to prosecute offenders and build cases. I'm trying to restore operations ASAP. DNC suspected this was a foreign nation state and Crowdstrike confirmed. You're not taking this one to trial. 9/n
DNC is under time pressure and every minute they spend with the FBI is a minute they aren't recovering and preparing for the election. I totally understand why they didn't call the FBI - it's counter to their goals of winning an election. 10/n
Add in the potential for leaks within the FBI (a VERY real concern) and that further justifies not calling. Ultimately the server images were provided to the FBI, but it's worth noting that even that wasn't a legal requirement. 11/n
Imagine the number of people who would have to be involved in a conspiracy to plant evidence against the Russians AND make a server with exculpatory evidence disappear. And none of them have talked? Um, yeah, that doesn't make sense... 12/n
In investigations, we talk about evidentiary dependence. All things equal, theories with dependence on fewer pieces of evidence are usually stronger. What's the evidentiary dependence for "the only server with exculpatory evidence was made to disappear?" 13/n
Don't just say "a server is missing." That's not entirely correct. More correct is "the only machine in the entire DNC network with exculpatory evidence is missing and there's no external evidence that said server ever existed." That's a huge stretch. 14/n
I hope this help explain the crux of this conspiracy claim. It's bunk through and through. To someone outside the DFIR filed, some of the actions by the DNC might look sketchy (e.g. not calling the FBI). In my actual experience in the field, it's completely normal. 15/15
Missing some Tweet in this thread?
You can try to force a refresh.
This content can be removed from Twitter at anytime, get a PDF archive by mail!
This is a Premium feature, you will be asked to pay $30.00/year
for a one year Premium membership with unlimited archiving.
Don't miss anything from @MalwareJake,
subscribe and get alerts when a new unroll is available!
Did Thread Reader help you today?
Support us: We are indie developers! Read more about the story
Become a 💎 Premium member ($30.00/year) and get exclusive features!
Too expensive?
Make a small donation instead. Buy us a coffee ($5) or help for the server cost ($10):
Donate with 😘 Paypal or  Become a Patron 😍 on Patreon.com
Trending hashtags
Did Thread Reader help you today?
Support us: We are indie developers! Read more about the story
Become a 💎 Premium member ($30.00/year) and get exclusive features!
Too expensive?
Make a small donation instead. Buy us a coffee ($5) or help for the server cost ($10):
Donate with 😘 Paypal or  Become a Patron 😍 on Patreon.com