It looks like you're using an Ad Blocker.

Please white-list or disable AboveTopSecret.com in your ad-blocking tool.

Thank you.

 

Some features of ATS will be disabled while you continue to use an ad-blocker.

 

FBI never looked at the server REDUX

page: 6
51
<< 3  4  5    7  8  9 >>

log in

join
share:

posted on Aug, 30 2018 @ 12:35 PM
link   
Retracted.
edit on 8/30/2018 by efabian because: (no reason given)




posted on Aug, 30 2018 @ 12:37 PM
link   
Ugh. I don't know why I'm wading into this again. Lmao

First thing's first — anyone clinging to this because they believe it's strong evidence suggesting that the DNC (and DCCC) hack could have been faked by CrowdStrike is wasting their time. Over the last couple years, I have posted about multiple threads of evidence from independent sources, the details of which have been published. Some examples:

1. We know that in September of 2015, FBI agent Adrian Hawkins reached out to the DNC to warn them that their network had possibly been compromised. By all accounts, Hawkins called multiple times over several weeks. The person he reached was an IT contractor named Yared Tamene who is apparently something of a clown and did not take the calls seriously. Interestingly, Hawkins identified the likely intruders as "the Dukes," the Russian hackers aka Cozy Bear (CrowdStrike), APT29 (FireEye), etc. It hasn't been reported how the FBI became aware of the intrusion.

2. In March of 2016, Dell's SecureWorks detected a massive spear phishing campaign in progress through analysis of Bitly shortened URLs. SecureWorks identified the perpetrators as TG-4127 aka Iron Twilight/Fancy Bear/APT28. This is who phished John Podesta. There's an AP article about it here that provides details like this:


A malicious link was generated for Podesta at 11:28 a.m. Moscow time, the AP found. Documents subsequently published by WikiLeaks show that the rogue email arrived in his inbox six minutes later. The link was clicked twice.

Though the heart of the campaign was now compromised, the hacking efforts continued. Three new volleys of malicious messages were generated on the 22nd, 23rd and 25th of March, targeting communications director Jennifer Palmieri and Clinton confidante Huma Abedin, among others.


3. Security outfits ThreatConnect and Fidelis have done their own independent research of the DNC/DCCC hacks as well as examining implants from the servers provided by CrowdStrike. There's an index of some of ThreatConnect's posts here. I'm not going into everything they've detailed but as an example:


In building upon Crowdstrike’s analysis, ThreatConnect researched and shared 20160614A: Russia-based groups compromise Democratic National Committee within the ThreatConnect Common Community. This incident includes the IP address 45.32.129[.]185 which Crowdstrike lists as a FANCY BEAR X-Tunnel implant Command and Control (C2) node.

Using ThreatConnect’s Farsight passive DNS integration to review the resolution history for 45.32.129[.]185 we uncovered some additional domain resolutions. One of these domain resolutions is the suspicious domain misdepatrment[.]com (note the transposition of the “t” and the “r” in department).

The domain misdepatrment[.]com was registered on March 22, 2016. Farsight lists the earliest domain resolution as March 24, 2016. On April 24th, 2016 the domain misdepatrment[.]com moved from the parking IP Address 5.135.183[.]154 to the FANCY BEAR Command and Control IP Address 45.32.129[.]185 where it remains resolved at of the time of this writing.

The domain misdepatrment[.]com closely resembles the legitimate domain for misdepartment.com. Of note, MIS Department Inc. is a technology services provider that lists a variety of clients on its website, one of which is the DNC.


In this case, the domain analyzed, which was registered in March, spoofed the legitimate domain of MIS Department Inc. Remember DNC IT contractor Yared Tamene? Here's his LinkedIn.


Vice President
Company Name The MIS Department, Inc.
Dates Employed Jan 2011 – Present Employment Duration 7 yrs 8 mos

Democratic National Committee
Director Of Information Technology
Company Name Democratic National Committee
Dates Employed Apr 2011 – Present Employment Duration 7 yrs 5 mos


Like I said, that's just an example.

4. There is actually evidence within the leaked emails which couldn't have been faked by CrowdStrike, including the phishing of Podesta and the targeting of Alexandra Chalupa's Yahoo mail account. Specifically, there's an email where she informs the DNC leadership that Yahoo's security team (the "Paranoids") had alerted her that she was the target of a possible state-sponsored phishing campaign. This is all in the WikiLeaks archive of DNC emails, including an attached screenshot of the alert message she'd received.

That's just some things off the top of my head. Importantly, CrowdStrike couldn't have faked all this evidence unless they started way back in 2015, created all this infrastructure, conducted a massive spear phishing campaign against thousands of targets, most of them NOT related to the Democrats or the Clinton campaign and did it masquerading as Russian state sponsored hackers.

And that's a conclusion based only on the publicly available stuff. Even without getting into all the classified methods the NSA has, sources the CIA employs, what foreign intel agencies shared, etc — there's the nuts and bolts evidence that the FBI would have sought from outside the DNC/CrowdStrike when investigating any intrusion. Evidence that CrowdStrike could not have faked after the fact to create a hoax.

For example, it's clear from the Mueller indictment that they were given access to the command and control servers used by the hackers to interface with the implants on the DNC's servers (which were located at two different datacenters in the US). We're talking VPSes that were at the IP addresses in the implants found on the servers. CrowdStrike couldn't have given that access, it would have come from the ISPs — quite possibly, in the form of forensic images of the two virtual servers.

There's all sorts of forensic evidence from the attackers' infrastructure that could not have been faked by CrowdStrike. Desperately clinging to this "but the servers!" talking point in an effort to continue believing that CrowdStrike fabricated everything is wanton willful ignorance.



posted on Aug, 30 2018 @ 12:41 PM
link   

originally posted by: efabian
a reply to: whargoul



Shock and Awe, that's the way we do things. You take things from people you are investigating, you don't take things from the victims in an investigation. Remember, the DNC are supposed to be the victims here.

Time and effort yes. I do not know how many servers they had, but I have heard upwards of 400. Take away even one server and productivity would fall. They were trying to win an election, if the FBI had taken their servers that would have been a direct hindrance to their bottom line. It would look 100% like political bias (just like Comey "reopening" the Hillary investigation days before the election).

You are moving goalposts now, bravo.


How? I am directly answering Gramblers questions.



posted on Aug, 30 2018 @ 12:49 PM
link   
a reply to: whargoul
I misspoke, sorry for that. retracted.
Even though, you do seem to take a strawman out of the weakest link in Grambler's post and ignore the remaining 90%.

edit on 8/30/2018 by efabian because: (no reason given)



posted on Aug, 30 2018 @ 12:51 PM
link   
a reply to: verschickter


A copy of a drive isn´t a complete copy of the data that is stored in a way or another on it. This is more true for magnetic storage devices than flash based.

You do not need to educate me on how filesystems work, it´s quiet obvious you´re the one that needs more education in that field.

Depending on the way you "copy" a drive, there will be either just the data present that the filesystem knows it has allocated or in the case of magnetic drives, you´d need much more precise hardware to read out ALL the partly overwritten lines of 1s and 0s that the allocation table(s) do not know.

Because with magnetic drives, the arm won´t return to the exact same position everytime. That´s why data recovery is possible with high precision hardware with way less tolerances. This way you can read out halfway overwritten stuff that DEFINITLY won´t show up when you just copy the drive via normal filesystem functions.

I hope I could educate you a bit on that.


According to the reporting, the images that were given to the FBI were forensic images which you know would be an exact duplicate including all the allocated space, free space and slack space.



posted on Aug, 30 2018 @ 12:52 PM
link   
*Gets call from FBI*

FBI Guy - "We suspect some wrong doing on your computer, we need to take a look."
Me - "Nah, but I tell ya what, I will get my buddy to make a copy of everything on my computer, and send you a copy."
FBI Guy - "Sounds good!" (Which would never happen like this)

My data = Family Pics, 8 or 10 gigs of music, couple of games, no porn, work and personal documents, no porn.
DNC Data = Possible National Security Info

This is the difference i see.



posted on Aug, 30 2018 @ 12:54 PM
link   
a reply to: whargoul

Firstly, it wasnt just the DNC that were victims, it was the American people.

Thats what the investigation is about right, the russians attack on the American system.

Or can we now just admit the FBI is only concerned with investigating for the benefit of the DNC.


Secondly, there is a difference between investigating a suspect vs. non suspect, I will give you that.

But why would shock and awe matter if any info left off from a copy of a server would be blatantly obvious?


And most importantly, the time and effort argument is not only wrong, but an extremely poor reason for the FBI to give fr why not to get access to the server.

I cant wait for the FBI to publicly announce to the country they didnt use their preferred method of evidence collection in one of the biggest cases in the agencies history because it would have cost the DNC a little more time and effort.

And for the DNC to announce top the American people that yes, they do think the russia investigation is the biggest thing that we need to look at, but they couldnt spare a little time and effort to meet the FBI request to help solve the case.


And I can prove it erroneous as well.

How you may ask.

Well because the DNC had to allow crowdstrike to copy their servers, which would have taken the exact same time and effort!

In fact probably more, because they had to waste time denying the FBI, and had to actually pay crowdstrike to do it!

And as far as effecting the election, its been over since November 2016, and they STILL havent had the FBI look at it.

It is clear that the DNC had a reason for not wanting the FBI to see their server.

edit on 30-8-2018 by Grambler because: (no reason given)



posted on Aug, 30 2018 @ 12:55 PM
link   
a reply to: theantediluvian

I'll refer you to my post on the last page.



You seem to overlook the fact that the "empty" sectors of the vhd could have been zeroed before a "bit-by-bit" copy.(which is the incorrect nomenclature, correct is sector by sector)

Hell, the vhd could have been easily "compacted" after zeroing the unutilized sectors.


You have no certainty something like this did not happen if you do not have the physical drives, assuming they are untampered.
edit on 8/30/2018 by efabian because: (no reason given)



posted on Aug, 30 2018 @ 12:59 PM
link   

originally posted by: theantediluvian
First thing's first — anyone clinging to this because they believe it's strong evidence suggesting that the DNC (and DCCC) hack could have been faked by CrowdStrike is wasting their time.


Before you "lmao"...
That´s not the problem some of us see.

The problem here is that the so called piece of evidence is a sloppy copy from the harddrive, when in reality, there´s way more data to be recovered, intentional deleted or not.

While for any other investigation -any- a crude photocopy of the evidence is not enough, somehow here it is. They always aquire the physical evidence, not a copy of it.

It´s like a knife that belonged to person x was used on person a by person b.
The investigators will demand the acutal knife, not the same model from the company that made it
"because it would be to much hassle to quire the actual knife, a copy will do".

It´s as simple as that.
A harddrive is not something hard to move around unlike a piece of evidence like bullets holes in a wall. Of course there it´s justified to not break that part out of the wall but make a copy / imprint.



posted on Aug, 30 2018 @ 01:01 PM
link   

originally posted by: theantediluvian

According to the reporting, the images that were given to the FBI were forensic images which you know would be an exact duplicate including all the allocated space, free space and slack space.


From the latest data written over every single bit but not the data that is in between the tracks. You should have read the thread before you jumped in.



posted on Aug, 30 2018 @ 01:08 PM
link   
a reply to: theantediluvian

Thank you for your input as always.

However, I must say that this post mostly seems unresponsive to anything in the OP.

For example, you site evidence from 2015 that russians were messing around with stuff like this.

Well then I suppose you will have to agree that because we definitely have evidnce going years back that the chinese government was trying to hack all sorts of US servers, that the report that china got direct access to hillarys servers must be true.

Of course we both know you would rightly say that just becasue they were making attempts doesnt mean it was true in that instance.

The same here. Just because Russia was doing this stiff in in 2015 doesnt mean there were the source for the hack of the wikileaks dump.

Aside from that, I can get into the weeds again with you if you want, but you still havent given any explanation as to why the FBI didnt look at the physical server, or why the dnc didnt leave them.

In the past, you have said that probably the DNC had something they didnt want the FBI to see on their server.

Well then that proves that the copy given by their paid for firm wasnt a complete copy,. else the FBI would still be able to see the stuff the DNC didnt want them to see.

No one has answered that.



posted on Aug, 30 2018 @ 01:17 PM
link   

originally posted by: Grambler
a reply to: whargoul

Firstly, it wasnt jjust the DNC that were victims, it was the ameircan people.

Thats what the investigation is about right, the russians attack on the american system.

Or can we now just admit the FBI is only concerned with investigating for the benefit of the DNC.


Secondly, there is a difference between investigating a suspect vs. non suspect, I will give you that.

But why would shock and awe matter if any info left off from a copy of a server would be blatantly obvious?


And most importantly, the time and effort argument is not only wrong, but an extremely poor reason for the FBI to give fr why not to get access to the server.

I cant wait for the FBI to publicly announce to the country they didnt use their prefered method of evidence collection in one of the biggest cases in the agencies history because it would have cost the DNC a little more time and effort.

And for the DNC to announce top the american people that yes, they do think the russia investigation is the biggest thing that we need to look at, but they couldnt spare a little time and effort to meet the FBI request to help solve the case.


And I can prove it erroneous as well.

How you may ask.

Well because the DNC had to allow crowdstrike to copy their servers, which would have taken the exact same time and effort!

In fact probably more, because they had to waste time denying the FBI, and had to actually pay crowdstrike to do it!

And as far as effecting the election, its been over since novemeber 2016, and they STILL havent had the FBI look at it.

It is clear that the DNC had a reason for not wanting the FBI to see their server.


Nonono, the image is made real time you are suggesting that the FBI needs to physically take servers (as I understand). And taking them now would be pointless, data gets overwritten. I've been trying to say over and over First = Best. Should it have been the FBI to make the images? Maybe! But they probably had a support contract with Crowdstrike to cover Incident Response.

As to why worry if a suspect deletes data (because we can see that they did that), we would never know what that data actually was.

I don't think it is clear that the DNC was hiding anything, I don't see the evidence. I am just trying to shed light on how the process is /supposed/ to work.

Now let me put my ATS hat on and lets say there is a conspiracy. In that case I don't think that the images or the physical servers would prove anything! Crowdstrike could hand the images off to the FBI and everybody concerned could keep claiming RussiaRussiaRussia no matter what the evidence says. None of us have seen the actual digital evidence.



posted on Aug, 30 2018 @ 01:19 PM
link   
Grambler, it was a complete copy in the sense of the actual stored data.

The "incompleteness" kicks in when you consider the partly overwritten weaker datatracks are not in the copy.

Our two - three "special experts" on this just don´t get that "slack data" is still on the active track on the HDD.

I´m not talking about that "slack data" I´m talking about 2-3 times the amount of data that you can extract from that HDD with the correct hardware and discerning algorithms.

After all it was a HDD in a server, you can bet on that nearly every physical track on every disc inside that HDD has at least a leftover from previous, slightly offset writes.

That´s why you overwrite HDDs several times to scrap them, in the hope that with the 10th time, you got enough wobble over the original track plus some offset to make them unuseful.

Even if you overwrite the whole HDD several times with only one single bit-value (1 or 0), you will still be able to pick that 1 you wrote on that track here and there. The chances to get useful data out of it decrease rapidly.

However, all that is far different from "slack data" because it occurs on the physical level of the plate and not somewhere in the filesystem.



They are just not able able to make that transfer-thought, although it´s not too complicated. It´s much easier to "yo dude", "lmao" "youre fake news" than to make that leap in the mind.

They are far to easy distracted.
edit on 30-8-2018 by verschickter because: (no reason given)

edit on 30-8-2018 by verschickter because: mistyped username SORRY



posted on Aug, 30 2018 @ 01:30 PM
link   
Such an operation isn´t even possible with normal actuators and heads.

Not only do you need high precision actuators to move that head, you need access to the raw datastream coming directly from the head and then you can start to calculate the fluctuations.

After you got that correct you can discern and emulate those lost bits via math.

Like if you have a max read in from the head between 0-255 where 255 is a 1 and 0 is 0, you get values like

123
96
134
236

then you run those numbers and discern that the 96 had more 0s written than 1s over the history of writes.
You do that with multiple readouts per track.

Those numbers are just placeholders to explain it more easy.

Edit: The real magic starts when you train your algorithms (=self learning/adjusting) to make test writes with the original hardware on fresh plates and compare it to expected data from what your algorithm spews out.
edit on 30-8-2018 by verschickter because: (no reason given)



posted on Aug, 30 2018 @ 01:34 PM
link   
a reply to: whargoul

So you admit that it "maybe" should have been the FBI to copy the server, but it was ok for crowdstrike because they hd contracts for the fbi.

But as I understand it crowdstrike had been paid by the DNC to work security for them for a while, so in a sense it was servers thay were in charge of defending that were attacked.

So allowing them to "work the crime scene" on behalf of the FBI would be like having a cop whose wife was killed work the crime scene there.

This should never happen because they are too close to the case and have biases.

In addition, we know the DNC had incentive to blame russia. We know that crowdstrike had blamed russia in other hacks and were wrong.

And again, this gives the appearance of bias or negligence bu the fbi, and they knew that it would. And yet for conveneince sake, they decided that the publics trust in them were worth sacarificing some to not spen a little more time and effort.

Funny, they dont seem to be concerned about time and effort when it comes to going after trump.

-more below-



posted on Aug, 30 2018 @ 01:41 PM
link   
a reply to: whargoul

I am confused about the data becomiong overwritten part.

Lets say I get hacked on the January 1..

My tech people find out on January 10. Presumably the reason they could find out is because despite data being overwritten continuously, the data from the hack on the first still exists on the tenth.

Why would it then be worthless for another firm to look at the server on January 20th to make sure my firm caught everything?


I mean sure, the sooner the better, but surely on the 20th a different set of eyes would be able to look at the data to confirm what was said on the 10th

But you are saying at some point, data gets overwritten so it is worthless for investigators to lookm at.

Well what is that point? A month, a year?



posted on Aug, 30 2018 @ 01:41 PM
link   


Nonono, the image is made real time you are suggesting that the FBI needs to physically take servers (as I understand)


What does that even mean? You still do not understand the difference between software and hardware recovery? Please stop spewing nonsense finally.

You just proofed you have no idea what you are talking about.



posted on Aug, 30 2018 @ 01:50 PM
link   

originally posted by: verschickter



Nonono, the image is made real time you are suggesting that the FBI needs to physically take servers (as I understand)


What does that even mean? You still do not understand the difference between software and hardware recovery? Please stop spewing nonsense finally.

You just proofed you have no idea what you are talking about.



Just to clarify my posotion to everyone regarding this.

I am not saying that the FBI should have had to physically uproot all of the servers.

I am saying they should have been the ones to make the copy of the servers.

How long would it take for the FBI to come into the dnc, copy the server data, and then leave and use that copy?

The claim that this would have been too much time and energy seems absolutely ludicrous to me.



posted on Aug, 30 2018 @ 01:50 PM
link   
a reply to: Grambler

He talks about the bits that are marked (=not allocated by the filesystems allocation table anymore) for overwrite.

The real issue is that when the head moves over the plate (with magnetic discs) it won´t hit the same spot again each time. That´s why the tracks on the disk where the 0 and 1 are written are wider.

So when there is a 0 on that track and the head moves over it to write a 1, it may not hit the exact same spot on that track. With more precise heads, you can discern those variations and acutally read out multiple values per track, where only one should be.

That´s how hardware recovery works.

Don´t be fooled by the "live image" and "no physical acess". All you get when you do that so called "forensic readout" is read every bit that your head on the plate reads out through a filter on the original hardware.

That means, yes, you will get bits that are free to overwrite but that is meaningless because it´s data coming from the head and the controller on the harddisks electronic does the exact thing I wrote above but vice-versa.

It goes:
143 -> 0
223 -> 1
127 -> 0 / 1 -> reread -> 120 -> 0
96 -> 0

What the hardware recovery does is do more readouts per track and it goes like

143 -> 00011
223 -> 11110
127 -> 01010

each 0 and 1 being history writes. Heavy math and patter recognition will do the trick in alliance with test writes and data samples to discern to correct order. In reality it´s done with 2-3 readouts because processing power...



posted on Aug, 30 2018 @ 01:55 PM
link   
a reply to: Grambler
I agree except for the simple readout.

I really don´t think or saying that crowdstrike messed with those images. I think they will be nearly spot on with what the hardware controller spits out into the SCSI / SATA / IDEE -whatever- bus (exluding normal read errors / misinterpretations).

What I say is, the chance to get what was really overwritten (and not just de-allocated by the filesystem for overwrite).


edit: ....is lost.....

forgot to finish that sentence...




edit on 30-8-2018 by verschickter because: (no reason given)




top topics



 
51
<< 3  4  5    7  8  9 >>

log in

join