Share this page!

Maybe Scrolly?
Robᵉʳᵗ Graham #PcapsOrItDidntHappen Profile picture
Twitter logo
15 Sep, 13 tweets, 4 min read
1/n Okay, nerds, when doing an audit on Windows or Android in order to prove "it wasn't connected to the Internet" during certain dates, what would you look for? I mention this because it's not a standard audit/forensics question.
2/n I mention this because of answering this question. I don't have confidence in the report partly because of my own limitations that I don't know how to do this.
3/ The report says this. The USB part is very good. But the rest is bad. I downloaded OSForenics and made sure: it doesn't have a specific module that deals with this question.
4/ "Windows event logs" would be the place to look, but looking on my own Windows machines, I can't find events that would conclusively tell me this.
5/ Windows probes for an Internet connection and can log successes, but I see logs for failures (indicating "not on the network") for machines that are indeed actively on the Internet.
6/ Ah! NTP! That seems to be the answer!!!! This seems to reliably work to see if day-by-day the computer has access to the Internet.
7/ DNS seems a bust. I think you have to enable logging specifically for it, that it's not enabled by default.
8/ In this case, "Windows Updates" logs aren't going to work, because Dominion systems have it disabled.
9/ So the next step is to investigate this with the Dominion EMS images provided at the cybersymposium. It doesn't have any NTP logs, because NTP is disabled.
10/ The Mesa County, Colorado system is similar to the Maricopa County, Arizona EMS system. A copy of the system image was leaked online during Mike Lindell's "Cybersymposium". Working with this system would tell us things like "NTP is disabled" that probably apply to Maricopa.
11/ MESA: well here's something that suggests the Mesa Count, Colorado server was connected to a network during the election. Error messages about not being able to contact a router ceased between Oct 16 and Dec 14.
12/ Prowling around other logs, I suspect the opposite is true, that a cable was plugged in during the other times (causing this fail message), but physically disconnected during the election (hence, not even trying to contact router).
13/ Which is a good example for when you are off the reservation into areas where you don't understand (as I am here): something you don't understand isn't evidence of your theory. There may be yet more explanations that explain it that you didn't consinder.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Robᵉʳᵗ Graham #PcapsOrItDidntHappen

Robᵉʳᵗ Graham #PcapsOrItDidntHappen Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ErrataRob

Robᵉʳᵗ Graham #PcapsOrItDidntHappen Profile picture
16 Sep
Five years ago, I thoroughly debunked that conspiracy theory of a Trump sever in secret communication with Alfa Bank (a bank in Russia).

Today, there's an indictment of the lawyer involved in this, which gives a lot more detail on the backstory.
huffpost.com/entry/michael-…
2/ If you'll remember, I didn't prove it was wrong, but I showed that none of the DNS information meant anything. I explained things that others found unexplainable.
blog.erratasec.com/2016/11/debunk…
blog.erratasec.com/2016/11/in-whi…
3/ The indictment shows how Tech-Executive-1 at a big Internet company directed people at two startups he invested in to go hunting in private databases (like netflow logs and DNS lookup logs) to find dirt on Trump.
Read 8 tweets
Robᵉʳᵗ Graham #PcapsOrItDidntHappen Profile picture
16 Sep
Um, the answer is that this is just a slightly customized "Android TV Box". These are just computers running Android pre-loaded with various streaming apps (like Netflix) with a remote control that people connect to TVs to watch video and play games.
gizmodo.com/please-help-us…
There are a zillion of these from China. I think the reason people have these is because it's a cheaper way to run things like Netflix on the TV than upgrading the TV. Also, there's a an underground for pirating video with these things.
amazon.com/s?k=tv+box
If you are willing to order thousands of these, you can custom order from China, with custom logs, custom plastic cases, and custom Android images preconfigured with your own apps.
Read 4 tweets
Robᵉʳᵗ Graham #PcapsOrItDidntHappen Profile picture
14 Sep
@JenAFifield So the context for your questions is this;
1. what auditors like Ben Cotton are asking for sounds pretty reasonable, such as router configuration (not "the routers").
2. this is distorted by Republicans and Trumpists into a conspiracy theory about "the routers".
The data Ben Cotton most wants is any logs of the "MAC addresses" to see if voting machines were connected to the network. MAC addresses are local to a subnet and stripped off from packets before forward to the rest of the Internet.
The next set of data is any flow logs going to those machines, to see their Internet communications during the election.
Read 4 tweets
Robᵉʳᵗ Graham #PcapsOrItDidntHappen Profile picture
14 Sep
Nah.
It's through questioning that we come to understand the world. As an expert on cybersecurity, coding, packet-captures, etc., I try never to play the "believe me I'm an expert" card. Instead, I try to understand where they are coming from.
Sure, sometimes questioners are obstinate and seem uninterested in listening to responses, but that, too, is a way we come to understand the world. It's usually not one misconception that needs overturning, but a bundle of interrelated misconceptions.
Of course, sometimes questions are just so stupid that I'm unable to bridge the gap. I'm amazed sometime how I, as an expert in my field, am defeated on the battlefield of Twitter argument with somebody who knows nothing.
Read 4 tweets
Robᵉʳᵗ Graham #PcapsOrItDidntHappen Profile picture
7 Sep
Stupid @dave_maynor nerd snipping me. Now I need to understand how they did this. I mean, it wouldn't be hard, but the fact they they do it so well is impressive.
thechoiceisyours.whatisthematrix.com
So the video mentions your current time as you watch it, both on the screen, and in the voice over. For example, this is what you see at 5:30:
One cool way to do it is so that the underlying streaming technology dynamically creates that part of the stream as it's downloaded.

A simpler way is to simply create 720 possible videos, and that the video you watch is determined by the time when you click on the webpage.
Read 5 tweets
Robᵉʳᵗ Graham #PcapsOrItDidntHappen Profile picture
6 Sep
ProtonMail has always been clear: they abide by Swiss law and don't track IP addresses until forced to. Now people are upset at ProtonMail because it works as claimed, not how people assumed because they weren't paying attention.
It's not Proton Mail's "marketing" that's to blame. They've been hitting you over the head that IT'S BASED IN SWITZERLAND since like forever.
On the marketing page that explains "end-to-end encryption" and "zero access to user data", they explain they still abide by Swiss law.
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @ErrataRob has new unrolls!

Check out other threads from @ErrataRob!

Read all threads by @ErrataRob

:(