Share this page!

Robᵉʳᵗ Graham #PcapsOrItDidntHappen Profile picture
Twitter logo
20 Sep, 7 tweets, 2 min read
1/ One of the problems with hacking is that you are always certain you are going it in the sub-optimal, least elegant fashion.

Such is the case in my examination of those disk images from the Mesa County election computer. A natural question is to grab password hashes.
2/ The standard free utility for examining a disk image is "Autopsy". There are more expensive commercial offerings. Autopsy has a lot of really cool plugins. I assume it would have one for password hashes, but I can't find one.
3/ So I do it the inelegant way. I simply go through the filesystem and extract the SAM, SECURITY, and SYSTEM registry "hives" (aka. files in registry format).
4/ I then run those files through one of many possible tools that can extract the password hashes, and get the hashes (aka. "encrypted form of the passwords" (sic)).
5/ I then run through "hashcast", using "mutated dictionary" attacks. It doesn't find anything except the the "Guest" accounts have an empty password (google 31D6CFE0D16AE931B73C59D7E0C089C0 and see for yourself).
6/ I'm not skilled cracking passwords. I do the standard thing (mutated dictionary), because it almost always succeeds quickly. I don't have practice at cracking tough nuts when the simple/obvious approach fails.
7/ So as it turns out, there was a better way. It turns out the password for a lot of the accounts was "Colorado2019!!!"

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Robᵉʳᵗ Graham #PcapsOrItDidntHappen

Robᵉʳᵗ Graham #PcapsOrItDidntHappen Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ErrataRob

Robᵉʳᵗ Graham #PcapsOrItDidntHappen Profile picture
22 Sep
Sooo.....

You have two choices:
#1 fall back on the "experts have debunked it". I'm an expert, I've debunked it.
#2 spend considerable amount of time understanding the issue so that you can competently debate it and answer questions, which frankly, isn't worthy your time Image
The short answer is this: the forensics investigators looked only at the C: boot drive, not the D: data drive were records are preserved. Thus, they could not have said whether or not records were correctly preserved according to state law.
Secondly, it's not a valid forensics report, because among other things, they violate forensics ethics by not putting their name on it and redacting information without disclosing the fact of redaction to the reader.
Read 13 tweets
Robᵉʳᵗ Graham #PcapsOrItDidntHappen Profile picture
22 Sep
I think the reason people are upset at the new Space Force uniforms is that they didn't take the "unisex" approach to uniforms that the Scots take. Image
It's still early days. Maybe we can start a petition to make kilts optional.
Since Space Force seems to be deriving inspiration from sci-fi, yes, space kilts are a thing. Image
Read 4 tweets
Robᵉʳᵗ Graham #PcapsOrItDidntHappen Profile picture
21 Sep
So one of the funny things from that "Mesa County Dominion deletes files" report is the screenshot they take of the report produced by the FTK Imager.

It's missing a line of text: the name of the examiner who created the image. The name was "cjh" which many claim is Conan Hayes
With the magic of cryptography, we KNOW for certain the name was deliberately removed in that graphic. That's because the MD5/SHA1 hashes confirm this is the SAME system image that was posted online during Lindell's Cybersymposium.
Yes yes, I know, both MD5 and SHA1 are broken and it's possible to create two files with the same hashes, that SHA2 needs to be used to actually be certain. But it still would require participation of the person who created them -- not something done after the fact.
Read 4 tweets
Robᵉʳᵗ Graham #PcapsOrItDidntHappen Profile picture
20 Sep
I have a different memory of Occupy Wall Street.

When the leaders threatened violence against me because they wanted the table I was sitting at, they reason was "because we are all in this together" and thus my individual desire must be subordinate to the group desire. Image
It was a weird world where facts didn't matter. For example, signs claimed the 1% didn't pay taxes, when in fact the top 1% of income earners earn about 20% of the income and pay 40% of income taxes.
I remember being in line a the nearby Starbucks while the Occupy guys behind me were strategizing how they could get the police to arrest protestors, such as walking in the middle of the street.
Read 7 tweets
Robᵉʳᵗ Graham #PcapsOrItDidntHappen Profile picture
19 Sep
Fact check: false

The data wasn't deleted, it was backed-up (well, probably).

I did my own forensics analysis of the Mesa County servers. Retention rules would demand that data be backed-up externally. Thus, seeing data deleted locally wouldn't mean anything.
I can't confirm they were backed-up properly, or if the backups were deleted elsewhere. There's suggestions of connecting to both a NAS and an external drive, so I see hints they were.

I just know that "retention" would imply "external storage" from the server.
The way that Dominion "updates" work isn't "software updates" like you and I are familiar with. Instead, an "update" of this server applying a whole new system image, which wipes out whatever was on the server beforehand.
Read 5 tweets
Robᵉʳᵗ Graham #PcapsOrItDidntHappen Profile picture
16 Sep
Five years ago, I thoroughly debunked that conspiracy theory of a Trump sever in secret communication with Alfa Bank (a bank in Russia).

Today, there's an indictment of the lawyer involved in this, which gives a lot more detail on the backstory.
huffpost.com/entry/michael-…
2/ If you'll remember, I didn't prove it was wrong, but I showed that none of the DNS information meant anything. I explained things that others found unexplainable.
blog.erratasec.com/2016/11/debunk…
blog.erratasec.com/2016/11/in-whi…
3/ The indictment shows how Tech-Executive-1 at a big Internet company directed people at two startups he invested in to go hunting in private databases (like netflow logs and DNS lookup logs) to find dirt on Trump.
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @ErrataRob has new unrolls!

Check out other threads from @ErrataRob!

Read all threads by @ErrataRob

:(