Anonymous wrote:

Anonymous wrote:

jsteele wrote:From the article:

The cooperation included the "providing of the forensic images of the DNC systems to the FBI, along with our investigation report and findings. Those agencies reviewed and subsequently independently validated our analysis."

Since the FBI has the images, they effectively have the server. This entire discussion is a red herring and an attempt at distraction.

Not quite. If their email server was a VM of they orivided snapshot images of the disks - which a lot of storage providers have as a feature,you can run an investigation on the snapshots of the disks.

It's a common feature to snapshot disk LUNs, virtual machines or datastores. If those snapshots exist they can be provided. ZFS is a filesystem with one such feature.

Could you clarify? It's not clear to me how you're contradicting the passage you quoted.

Anonymous wrote:

Anonymous wrote:

Anonymous wrote:

jsteele wrote:From the article:

The cooperation included the "providing of the forensic images of the DNC systems to the FBI, along with our investigation report and findings. Those agencies reviewed and subsequently independently validated our analysis."

Since the FBI has the images, they effectively have the server. This entire discussion is a red herring and an attempt at distraction.

Not quite. If their email server was a VM of they orivided snapshot images of the disks - which a lot of storage providers have as a feature,you can run an investigation on the snapshots of the disks.

It's a common feature to snapshot disk LUNs, virtual machines or datastores. If those snapshots exist they can be provided. ZFS is a filesystem with one such feature.

Could you clarify? It's not clear to me how you're contradicting the passage you quoted.

This is what you get when you get a spokesman talking about forensic images. And I'll guarantee the spokesman is not technical. He's just blathering out what sounds good.

And then the Jeffs of the world suddenly are quite happy only a private company is involved, but any other time, only the feds can do it. Very Convenient.

Anonymous wrote:

jsteele wrote:

Anonymous wrote:
Have all those steps been done?

"I asked, "If the data is stored in the cloud, how would providing the server help?" You found that "very telling". Could you please answer the question?" I said IF a cloud or server farm was used, they should also be examined. All we hear about is a server. If you are a SME, then you know there should be a thorough investigation of audit logs, firewalls, intrusion detection and prevention systems, DNS and LDAP services, domain controllers, authentication servers, routers, switches and all the network infrastructure, correct? You keep telling me everything is OK. Well, is it? Please, go ask your spokesman and get back to me, because your "Comey said" isn't working.

Does Crowdstrike have access to the information the FBI does on previous hacks for indicators of compromise, classified intel, etc? How closely are the FBI and Crowdstrike working together?

You are contradicting yourself. You are correct that firewalls, IDSs, and other systems should be investigated. But, those things are separate from the server. The server is completely irrelevant to those things. Giving the server to the FBI would have no impact on those other devices. So, why did you start a thread that focuses only on the server?

I realize that you are making this up as you go along and actually have no idea what you are talking about, but maybe think things through a bit more?

I love your response about the cloud, "I said IF a cloud or server farm was used, they should also be examined." Well, duh. But, you don't need the server to do that. In fact, if all you have is the server, you couldn't do that. Hence, my "very telling" question.

The FBI has confirmed that they have been provided sufficient data. Can you again explain on what basis you question their findings? You appear to consider yourself quite the expert, but are unable to explain why you -- with no access to the data -- are better able to make determinations then those who actually have the data.

I'm not contradicting myself. It's an incomplete investigation and everyone knows it. The DNC is stalling and stonewalling.

"But, those things are separate from the server." No! Really. Do tell.

You confiscate all the infrastructure at the same time for examination. The server and any data in a cloud setup or a server farm should be investigated. Comparisons will have to be made for time stamps, when maliciousness supposedly took place and to do that, you need all components.

"The FBI has confirmed that they have been provided sufficient data." - The person stating that is giving a political answer.



Furthermore: " Do you dispute the determination that Russia was behind the hack? "

So who was it, since you seem to know so much? The FSB? The GRU? The SVR? Some other organization? You sure it wasn't China using Russian infrastructure. Just spitballing Jeff, but since you know so much, who exactly was it? Are you sure it wasn't an eastern european crime syndicate?

What are you basing your attribution on?

Anonymous wrote:

Anonymous wrote:

jsteele wrote:From the article:

The cooperation included the "providing of the forensic images of the DNC systems to the FBI, along with our investigation report and findings. Those agencies reviewed and subsequently independently validated our analysis."

Since the FBI has the images, they effectively have the server. This entire discussion is a red herring and an attempt at distraction.

Not quite. If their email server was a VM of they orivided snapshot images of the disks - which a lot of storage providers have as a feature,you can run an investigation on the snapshots of the disks.

It's a common feature to snapshot disk LUNs, virtual machines or datastores. If those snapshots exist they can be provided. ZFS is a filesystem with one such feature.

Could you clarify? It's not clear to me how you're contradicting the passage you quoted.

Anonymous wrote:

jsteele wrote:From the article:

The cooperation included the "providing of the forensic images of the DNC systems to the FBI, along with our investigation report and findings. Those agencies reviewed and subsequently independently validated our analysis."

Since the FBI has the images, they effectively have the server. This entire discussion is a red herring and an attempt at distraction.

Not quite. If their email server was a VM of they orivided snapshot images of the disks - which a lot of storage providers have as a feature,you can run an investigation on the snapshots of the disks.

It's a common feature to snapshot disk LUNs, virtual machines or datastores. If those snapshots exist they can be provided. ZFS is a filesystem with one such feature.

Anonymous wrote:The private security group Crowdstrike said it was all Russia breaching the DNC server. FBI took them at their word. Obama hired a Crowdstrike officer as a part of his staff last summer (Commission on Enhancing National Cybersecurity). Why would the FBI need to see it after Crowdstrike vouched for the Russkies breach? Google Capital invested $100 million into Crowdstrike. Co-Founder and CTO of CrowdStrike Dmitri Alperovitch is a member of the Atlantic Council, which is funded by George Soros' Open Societies Foundation.

Don't see the problem.

Anonymous wrote:

jsteele wrote:

Anonymous wrote:Sure the raid can be imaged. Was it? Was the BIOS examined? We're talking Russia here, right (according to you)? They're not a third rate actor. A proper examination should take place and it's not. Furthermore, you're hanging your explanation on the words of a spokesman.

People are not satisfied with the data provided. I do dispute the determination. Show me the technical details.


"If the data is stored in the cloud, how would providing the server help?" - that's a very telling answer for a "SME" to give.


http://www.slate.com/blogs/future_tense/2017/05/09/the_fbi_is_harder_to_trust_on_the_dnc_hack_because_it_relied_on_crowdstrike.html

You are acting like Crowdstrike doesn't know basic forensics. Any professional firm would image both active memory and and storage media. That is simply basic forensics. You keep on harping about the fact that Crowdstrike's statement was issued by a spokesperson. I hate to break it to you, but that's who normally issues statements. The same information has been confirmed by the FBI.

I asked, "If the data is stored in the cloud, how would providing the server help?" You found that "very telling". Could you please answer the question?

Given that by your own admission you -- unlike the FBI -- has not seen the technical details, on what basis do you question their findings? Do you rely on telekinetics to conduct your computer forensics?

Have all those steps been done?

"I asked, "If the data is stored in the cloud, how would providing the server help?" You found that "very telling". Could you please answer the question?" I said IF a cloud or server farm was used, they should also be examined. All we hear about is a server. If you are a SME, then you know there should be a thorough investigation of audit logs, firewalls, intrusion detection and prevention systems, DNS and LDAP services, domain controllers, authentication servers, routers, switches and all the network infrastructure, correct? You keep telling me everything is OK. Well, is it? Please, go ask your spokesman and get back to me, because your "Comey said" isn't working.

Does Crowdstrike have access to the information the FBI does on previous hacks for indicators of compromise, classified intel, etc? How closely are the FBI and Crowdstrike working together?

Anonymous wrote:

jsteele wrote:

Anonymous wrote:
Have all those steps been done?

"I asked, "If the data is stored in the cloud, how would providing the server help?" You found that "very telling". Could you please answer the question?" I said IF a cloud or server farm was used, they should also be examined. All we hear about is a server. If you are a SME, then you know there should be a thorough investigation of audit logs, firewalls, intrusion detection and prevention systems, DNS and LDAP services, domain controllers, authentication servers, routers, switches and all the network infrastructure, correct? You keep telling me everything is OK. Well, is it? Please, go ask your spokesman and get back to me, because your "Comey said" isn't working.

Does Crowdstrike have access to the information the FBI does on previous hacks for indicators of compromise, classified intel, etc? How closely are the FBI and Crowdstrike working together?

You are contradicting yourself. You are correct that firewalls, IDSs, and other systems should be investigated. But, those things are separate from the server. The server is completely irrelevant to those things. Giving the server to the FBI would have no impact on those other devices. So, why did you start a thread that focuses only on the server?

I realize that you are making this up as you go along and actually have no idea what you are talking about, but maybe think things through a bit more?

I love your response about the cloud, "I said IF a cloud or server farm was used, they should also be examined." Well, duh. But, you don't need the server to do that. In fact, if all you have is the server, you couldn't do that. Hence, my "very telling" question.

The FBI has confirmed that they have been provided sufficient data. Can you again explain on what basis you question their findings? You appear to consider yourself quite the expert, but are unable to explain why you -- with no access to the data -- are better able to make determinations then those who actually have the data.

I'm not contradicting myself. It's an incomplete investigation and everyone knows it. The DNC is stalling and stonewalling.

"But, those things are separate from the server." No! Really. Do tell.

You confiscate all the infrastructure at the same time for examination. The server and any data in a cloud setup or a server farm should be investigated. Comparisons will have to be made for time stamps, when maliciousness supposedly took place and to do that, you need all components.

"The FBI has confirmed that they have been provided sufficient data." - The person stating that is giving a political answer.



Furthermore: " Do you dispute the determination that Russia was behind the hack? "

So who was it, since you seem to know so much? The FSB? The GRU? The SVR? Some other organization? You sure it wasn't China using Russian infrastructure. Just spitballing Jeff, but since you know so much, who exactly was it? Are you sure it wasn't an eastern european crime syndicate?

What are you basing your attribution on?

Anonymous wrote:

Anonymous wrote:To the OP/PP, Jeff is an IT person, I think he is enough of a subject matter expert to comment with authority on the issue.

Jeff is not in the investigation. He is not qualified. He doesn't know what raid configurations the disks were in, what was captured in memory, what the images consisted of and if they were simply dirwalks. And he's taking the word of an unnamed spokesman who gives no technical details.

It's time to turn over the server for proper analysis and the keys to any information they may have stored in a server farm or cloud.

You wanted an investigation. Now pony up.

Anonymous wrote:To the OP/PP, Jeff is an IT person, I think he is enough of a subject matter expert to comment with authority on the issue.

jsteele wrote:From the article:

The cooperation included the "providing of the forensic images of the DNC systems to the FBI, along with our investigation report and findings. Those agencies reviewed and subsequently independently validated our analysis."

Since the FBI has the images, they effectively have the server. This entire discussion is a red herring and an attempt at distraction.

Anonymous wrote:Wow OP, you got your ass handed to you.

jsteele wrote:

Anonymous wrote:
Have all those steps been done?

"I asked, "If the data is stored in the cloud, how would providing the server help?" You found that "very telling". Could you please answer the question?" I said IF a cloud or server farm was used, they should also be examined. All we hear about is a server. If you are a SME, then you know there should be a thorough investigation of audit logs, firewalls, intrusion detection and prevention systems, DNS and LDAP services, domain controllers, authentication servers, routers, switches and all the network infrastructure, correct? You keep telling me everything is OK. Well, is it? Please, go ask your spokesman and get back to me, because your "Comey said" isn't working.

Does Crowdstrike have access to the information the FBI does on previous hacks for indicators of compromise, classified intel, etc? How closely are the FBI and Crowdstrike working together?

You are contradicting yourself. You are correct that firewalls, IDSs, and other systems should be investigated. But, those things are separate from the server. The server is completely irrelevant to those things. Giving the server to the FBI would have no impact on those other devices. So, why did you start a thread that focuses only on the server?

I realize that you are making this up as you go along and actually have no idea what you are talking about, but maybe think things through a bit more?

I love your response about the cloud, "I said IF a cloud or server farm was used, they should also be examined." Well, duh. But, you don't need the server to do that. In fact, if all you have is the server, you couldn't do that. Hence, my "very telling" question.

The FBI has confirmed that they have been provided sufficient data. Can you again explain on what basis you question their findings? You appear to consider yourself quite the expert, but are unable to explain why you -- with no access to the data -- are better able to make determinations then those who actually have the data.