It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Thank you.
Some features of ATS will be disabled while you continue to use an ad-blocker.
originally posted by: chr0naut
originally posted by: pavil
a reply to: xuenchen
Why was it "not possible" for the FBI to actually have the DNC Server and Hard Drive in its possession to prove an International Event of the scope of Russia directly spying on a Presidential Campaign?
Wouldn't that be something you'd want to prove beyond a shadow of a doubt?
Between that, and the immunity deals they were handing out like condoms at Spring Break, I knew the whole thing smelled to high heaven.
Well, really in-depth security audit forensics takes time. If you switch of the server to pass it from location to location, you can't actually be doing any forensics on it.
The first step in any such forensics is to produce a bit-wise image of all the drives, so that you can re-try things if you accidentally mess with the content. You do this by removing the drives and mounting them in a different machine and then imaging them at a low level (called a bitwise image) this ignores format and partitioning on the drive and copies everything identically at the base level.
The other advantage in removing the drives is that you can read data from the side of the data tracks (in a magnetic rerecording HDD). This works because of a thing called magnetic hysteresis which means that magnetic domains spread out over time through the media and that greater energy is required to erase the data than it took to originally write it. This means that older data is still on the media even though overwritten by later magnetization. In a solid state drive, however, this does not work. To do this side-track reading, you have to modify the drive controller hardware. Standard hardware will not allow this type of operation.
The result is that you get two bitwise images for each drive and it is trivial to determine what data has been recently erased, by simply doing a comparison between them.
Once the original drives are imaged, they can be returned to the original machine, which can either continue to be used or it can be rebuilt. The hardware isn't actually the critical component anymore. The data content is.
Crowdstrike provided the FBI with the same images that it was using to do the forensics. Essentially, the FBI had the server, complete and frozen in time at the time the images were made.
Once you have bitwise images, you no longer require the physical server and it is better to mount copies of those images on another machine entirely. In this way, there are no files on the drive locked by the server operating system - you have full access to everything and don't have to fight for access with any the processes that run the server.
Then you do the forensic audit on the data. Looking both for files, and for formats of data similar to files (even in erased space). Also you have the comparison deltas which tell you which stuff to target first.
originally posted by: shooterbrody
originally posted by: chr0naut
originally posted by: pavil
a reply to: xuenchen
Why was it "not possible" for the FBI to actually have the DNC Server and Hard Drive in its possession to prove an International Event of the scope of Russia directly spying on a Presidential Campaign?
Wouldn't that be something you'd want to prove beyond a shadow of a doubt?
Between that, and the immunity deals they were handing out like condoms at Spring Break, I knew the whole thing smelled to high heaven.
Well, really in-depth security audit forensics takes time. If you switch of the server to pass it from location to location, you can't actually be doing any forensics on it.
The first step in any such forensics is to produce a bit-wise image of all the drives, so that you can re-try things if you accidentally mess with the content. You do this by removing the drives and mounting them in a different machine and then imaging them at a low level (called a bitwise image) this ignores format and partitioning on the drive and copies everything identically at the base level.
The other advantage in removing the drives is that you can read data from the side of the data tracks (in a magnetic rerecording HDD). This works because of a thing called magnetic hysteresis which means that magnetic domains spread out over time through the media and that greater energy is required to erase the data than it took to originally write it. This means that older data is still on the media even though overwritten by later magnetization. In a solid state drive, however, this does not work. To do this side-track reading, you have to modify the drive controller hardware. Standard hardware will not allow this type of operation.
The result is that you get two bitwise images for each drive and it is trivial to determine what data has been recently erased, by simply doing a comparison between them.
Once the original drives are imaged, they can be returned to the original machine, which can either continue to be used or it can be rebuilt. The hardware isn't actually the critical component anymore. The data content is.
Crowdstrike provided the FBI with the same images that it was using to do the forensics. Essentially, the FBI had the server, complete and frozen in time at the time the images were made.
Once you have bitwise images, you no longer require the physical server and it is better to mount copies of those images on another machine entirely. In this way, there are no files on the drive locked by the server operating system - you have full access to everything and don't have to fight for access with any the processes that run the server.
Then you do the forensic audit on the data. Looking both for files, and for formats of data similar to files (even in erased space). Also you have the comparison deltas which tell you which stuff to target first.
Or you can just follow our law and turn over the evidence.
You know the nsa has all this, right?
Remember the name rogers.
Barak obama wanted to fire him but was too late.
originally posted by: chr0naut
The server itself was not given to the FBI because they would have to turn it off and disconnect it to do so. Interrupting the analysis and security remediation.
originally posted by: chr0naut
The server itself was not given to the FBI because they would have to turn it off and disconnect it to do so. Interrupting the analysis and security remediation.
originally posted by: burntheships
originally posted by: chr0naut
The server itself was not given to the FBI because they would have to turn it off and disconnect it to do so. Interrupting the analysis and security remediation.
Do you realize what a ridiculous assertion this is?
Since when has that "in use" ever stopped the FBI of seizing evidence?
originally posted by: xuenchen
a reply to: pavil
Remember WHO was "in power" in 2016 when this all happened ☢
originally posted by: chr0naut
originally posted by: burntheships
originally posted by: chr0naut
The server itself was not given to the FBI because they would have to turn it off and disconnect it to do so. Interrupting the analysis and security remediation.
Do you realize what a ridiculous assertion this is?
Since when has that "in use" ever stopped the FBI of seizing evidence?
They didn't need house bricks, or clay samples, or window glass, either, that weren't pertinent to their investigations. The FBI had the evidence they needed for the investigation.
originally posted by: Breakthestreak
originally posted by: xuenchen
a reply to: pavil
Remember WHO was "in power" in 2016 when this all happened ☢
A disgusting racist piece of #e failed president?
Everyone remembers that.
Now there’s an actual President ‘in power’ the fascists are beside themselves with grief. And their more-than-obvious fake hoax ‘investigation’ has failed miserably and totally exonerated the President, in the eyes of the public, all while totally destroying the TINY support base of the dEms
2021 is gonna be a good year
The other advantage in removing the drives is that you can read data from the side of the data tracks (in a magnetic rerecording HDD).
Bill Barr and Trump are the only ones who can approve the request.
originally posted by: SouthernForkway26
a reply to: chr0naut
The images are inadmissible as evidence in court. Only the servers themselves are evidence. There's a reason the FBI wanted the actual servers instead of whatever junk CrowdStrike gave them. There's also a reason the servers have been destroyed.
originally posted by: TheRedneck
a reply to: chr0naut
The other advantage in removing the drives is that you can read data from the side of the data tracks (in a magnetic rerecording HDD).
That only works on the original drive. A bitwise image will not contain any hysteresis information; it is written in a single pass from a digital reading of the original drive. Hysteresis reading is an analog function, not a digital one.
Also, unless specific routines are used (as in BleachBit), an OS does not actually 'erase' data; it simply forgets where it is (deletes the entry in the File Access Table) and reuses the space as needed. Data retained in this way is preserved on a bitwise image.
TheRedneck