Anonymous wrote:
"Moreover, firewalls and IDS and most security devices would be useless to investigate in themselves." No. How are you going to get the running configurations of the firewall and IDS from an audit log stored on another device? No. It doesn't dump it's configuration to an audit log. That would be an OPSEC problem right there.

I'm going to take the time to expose your cluelessness line by line. The current configuration of firewalls and IDSs is of no concern. What matters is the configuration at the time of the intrusion. Even those configurations are not actually that important since they can be deduced from the traffic logs. At any rate, normal procedure is to keep backups of configurations. Among other things, that helps when you need to roll back to an earlier configuration. Again, having the physical device is of no help and seizing such devices and removing them from the DNC's network would be very problematic, probably causing the network to cease functioning.

Anonymous wrote:
"Seizing a firewall would provide no benefit. " No. How do you know if the firewall was properly configured? ALLOW ALL ANY <---> ANY will invalidate just about any valid configuration of the best firewall. So will screwing around with the firmware of a firewall.
.

That can be easily determined from the traffic log. Have you actually ever administered a firewall?

Anonymous wrote:
"What is actually important are the log files which are not stored on the devices themselves." I want to see the routers themselves to see running configurations. Furthermore, how the hell do I know that logging is properly implemented on appliances around the DNC IT shop?

The running config can be provided without having to provide the physical device. If logging was not properly implemented, that will be revealed by the logs themselves. Similar to my question above, have you ever administered a firewall?

Anonymous wrote:
Jeff, you have pretty much given away the fact that you don't have a clue about what you are talking anout and have never conducted an actual investigation into a network intrusion (or least not a credible one).

Wrong. I worked as a network security engineer in a government facility for several years during which time I conducted multiple investigations of network intrusions (even one originating from Russia). I have years of experience administering routers, firewalls, IDSs, and other network security devices. I had a CISSP certification, though I haven't bothered to renew it since becoming self-employed.

I freely admit that I trust Comey more than I trust people who are obsessed with the FBI getting access to the DNC's server. Anyone fixated on the server has no clue how to conduct an investigation of this sort. Hence, nothing of a technical nature that such people have to say is of any value in this discussion.

+1000

jsteele wrote:

Anonymous wrote:

jsteele wrote:

Anonymous wrote:

jsteele wrote:From the article:

The cooperation included the "providing of the forensic images of the DNC systems to the FBI, along with our investigation report and findings. Those agencies reviewed and subsequently independently validated our analysis."

Since the FBI has the images, they effectively have the server. This entire discussion is a red herring and an attempt at distraction.

Not quite. If their email server was a VM of they orivided snapshot images of the disks - which a lot of storage providers have as a feature,you can run an investigation on the snapshots of the disks.

It's a common feature to snapshot disk LUNs, virtual machines or datastores. If those snapshots exist they can be provided. ZFS is a filesystem with one such feature.

What is your point? What are you actually saying that is different from the point I made? Yes, there are various ways to provide disk images. Disk images were provided. End of story.

All of them? All the backups? All snapshots of the MS Exchange datastore? All OS snapshots? All network equipment and firewall logs?

Ask the FBI. The point is, giving the FBI the server would not provide that data. The OP -- and apparently you -- want the server to be given to the FBI. But, giving them the server would have practically no impact. How would having access to the server impact the provision of backups, snapshots, or firewall logs? It wouldn't. Focusing on the server is just a distraction.

Wait? Ask the FBI? I kinda like your capitulation. Subtle, but I got it and I think you got it.

jsteele wrote:

Anonymous wrote:The private security group Crowdstrike said it was all Russia breaching the DNC server. FBI took them at their word. Obama hired a Crowdstrike officer as a part of his staff last summer (Commission on Enhancing National Cybersecurity). Why would the FBI need to see it after Crowdstrike vouched for the Russkies breach? Google Capital invested $100 million into Crowdstrike. Co-Founder and CTO of CrowdStrike Dmitri Alperovitch is a member of the Atlantic Council, which is funded by George Soros' Open Societies Foundation.

Don't see the problem.

No, the FBI did not simply take Crowdstrike at its word. The FBI used the images and reports provided by Crowdstrike to conduct its own investigation. The FBI reported its own conclusions, not Crowdstrike's.

What images???????????????

Give the technical details of how they were procured. Live, snapshot, native OS, VM, cloud, DIRWALK?

The "Forensic Image" term is wide open.

Anonymous wrote:Yes. When you're working on nation-state stuff, all bets are off. You have to be extremely thorough. Jeff believes that since Comey made a statement, everything is fine. A little naive, but whatever.

I freely admit that I trust Comey more than I trust people who are obsessed with the FBI getting access to the DNC's server. Anyone fixated on the server has no clue how to conduct an investigation of this sort. Hence, nothing of a technical nature that such people have to say is of any value in this discussion.

jsteele wrote:

You are completely contradicting yourself. You started a thread about the FBI being denied access to the DNC's server. When I explained that was not really a big deal, you went off in another direction about the need to investigate other devices, all of which are separate from the server.

I can't believe that you actually wrote this:

"You confiscate all the infrastructure at the same time for examination."

So, you wan the FBI to seize an email server, potentially one or more file servers, potentially an entire cloud service, a firewall, router, any number of switches, an IDS, and who knows what else? That would shut the DNC down. Is that your actual goal? Moreover, firewalls and IDS and most security devices would be useless to investigate in themselves. What is actually important are the log files which are not stored on the devices themselves. Seizing a firewall would provide no benefit.

You have pretty much given away the fact that you don't have a clue about what you are talking and have never conducted an actual investigation into a network intrussion (or least not a credible one).

If it involves a nation-state as you assert, you have to be extremely thorough.

"Moreover, firewalls and IDS and most security devices would be useless to investigate in themselves." No. How are you going to get the running configurations of the firewall and IDS from an audit log stored on another device? No. It doesn't dump it's configuration to an audit log. That would be an OPSEC problem right there.

"Seizing a firewall would provide no benefit. " No. How do you know if the firewall was properly configured? ALLOW ALL ANY <---> ANY will invalidate just about any valid configuration of the best firewall. So will screwing around with the firmware of a firewall.

"What is actually important are the log files which are not stored on the devices themselves." I want to see the routers themselves to see running configurations. Furthermore, how the hell do I know that logging is properly implemented on appliances around the DNC IT shop?


Jeff, you have pretty much given away the fact that you don't have a clue about what you are talking anout and have never conducted an actual investigation into a network intrusion (or least not a credible one).

Obama certainly knew about the Russia involvement and couldn't care less. Now that you liberals lost the election, it's a big deal.

Yes, Obama screwed up .. he was confident that Hillary would win and did not push for an investigation hard enough.

However, my premise is that whether you are a Republican or Democrat you should be mad that someone meddled with our election regardless of the outcome. Your excuse that America meddled with others election and so we deserve the comeuppance is pathetic and not your true answer. You are just a partisan hack admit it and move on..

Anonymous wrote:

jsteele wrote:

Anonymous wrote:

jsteele wrote:From the article:

The cooperation included the "providing of the forensic images of the DNC systems to the FBI, along with our investigation report and findings. Those agencies reviewed and subsequently independently validated our analysis."

Since the FBI has the images, they effectively have the server. This entire discussion is a red herring and an attempt at distraction.

Not quite. If their email server was a VM of they orivided snapshot images of the disks - which a lot of storage providers have as a feature,you can run an investigation on the snapshots of the disks.

It's a common feature to snapshot disk LUNs, virtual machines or datastores. If those snapshots exist they can be provided. ZFS is a filesystem with one such feature.

What is your point? What are you actually saying that is different from the point I made? Yes, there are various ways to provide disk images. Disk images were provided. End of story.

All of them? All the backups? All snapshots of the MS Exchange datastore? All OS snapshots? All network equipment and firewall logs?

Ask the FBI. The point is, giving the FBI the server would not provide that data. The OP -- and apparently you -- want the server to be given to the FBI. But, giving them the server would have practically no impact. How would having access to the server impact the provision of backups, snapshots, or firewall logs? It wouldn't. Focusing on the server is just a distraction.

jsteele wrote:

Anonymous wrote:

jsteele wrote:From the article:

The cooperation included the "providing of the forensic images of the DNC systems to the FBI, along with our investigation report and findings. Those agencies reviewed and subsequently independently validated our analysis."

Since the FBI has the images, they effectively have the server. This entire discussion is a red herring and an attempt at distraction.

Not quite. If their email server was a VM of they orivided snapshot images of the disks - which a lot of storage providers have as a feature,you can run an investigation on the snapshots of the disks.

It's a common feature to snapshot disk LUNs, virtual machines or datastores. If those snapshots exist they can be provided. ZFS is a filesystem with one such feature.

What is your point? What are you actually saying that is different from the point I made? Yes, there are various ways to provide disk images. Disk images were provided. End of story.

All of them? All the backups? All snapshots of the MS Exchange datastore? All OS snapshots? All network equipment and firewall logs?

Anonymous wrote:The private security group Crowdstrike said it was all Russia breaching the DNC server. FBI took them at their word. Obama hired a Crowdstrike officer as a part of his staff last summer (Commission on Enhancing National Cybersecurity). Why would the FBI need to see it after Crowdstrike vouched for the Russkies breach? Google Capital invested $100 million into Crowdstrike. Co-Founder and CTO of CrowdStrike Dmitri Alperovitch is a member of the Atlantic Council, which is funded by George Soros' Open Societies Foundation.

Don't see the problem.

No, the FBI did not simply take Crowdstrike at its word. The FBI used the images and reports provided by Crowdstrike to conduct its own investigation. The FBI reported its own conclusions, not Crowdstrike's.

Anonymous wrote:

I worked in a secure and. In secure environment and when classified or even unclassified data meant for certain people to see was inadvertently disclosed it was common for us to shit off service to sanitize. You're correct, investigating the infrastructure to include any back-end storage and cloud based storage and backups is crucial.

I specifically remember one place I worked that was compromised by China, they got in through phishing schemes. We worked with a reputable forensic team from a good firm and we narrowed it down to the exact building and GPS coordinates from where the attack came from. You can do that.

As noted by the PP, there can be more investigation

Yes. When you're working on nation-state stuff, all bets are off. You have to be extremely thorough. Jeff believes that since Comey made a statement, everything is fine. A little naive, but whatever.

Anonymous wrote:

jsteele wrote:From the article:

The cooperation included the "providing of the forensic images of the DNC systems to the FBI, along with our investigation report and findings. Those agencies reviewed and subsequently independently validated our analysis."

Since the FBI has the images, they effectively have the server. This entire discussion is a red herring and an attempt at distraction.

Not quite. If their email server was a VM of they orivided snapshot images of the disks - which a lot of storage providers have as a feature,you can run an investigation on the snapshots of the disks.

It's a common feature to snapshot disk LUNs, virtual machines or datastores. If those snapshots exist they can be provided. ZFS is a filesystem with one such feature.

What is your point? What are you actually saying that is different from the point I made? Yes, there are various ways to provide disk images. Disk images were provided. End of story.

Anonymous wrote:

'm not contradicting myself. It's an incomplete investigation and everyone knows it. The DNC is stalling and stonewalling.

DNC is stonewalling with what ?? what do you know that all the American Intelligence agencies dont know? You probably watch too much fox news and you think this is a grand conspiracy of the "Deep State" and you are on this forum hoping that people will dignify your paranoia.


All American Intelligence agencies have reported that Russia hacked and tried to meddle with our elections, that is concerning enough to me as an American.
Wearing an American flag underwear for July 4th does not make your patriotic America putting country above party makes you a true American. You should be following the investigation and extending your full support to that no matter where it leads and no, the investigative committee has not said that DNC is stonewalling them. You got this information from some right wing conspiracy website and you are peddling your nonsense here.

Countries, including ours, have attempted to influence the elections of other countries for decades. Obama certainly knew about the Russia involvement and couldn't care less. Now that you liberals lost the election, it's a big deal.

Anonymous wrote:I'm not contradicting myself. It's an incomplete investigation and everyone knows it. The DNC is stalling and stonewalling.

"But, those things are separate from the server." No! Really. Do tell.

You confiscate all the infrastructure at the same time for examination. The server and any data in a cloud setup or a server farm should be investigated. Comparisons will have to be made for time stamps, when maliciousness supposedly took place and to do that, you need all components.

"The FBI has confirmed that they have been provided sufficient data." - The person stating that is giving a political answer.



Furthermore: " Do you dispute the determination that Russia was behind the hack? "

So who was it, since you seem to know so much? The FSB? The GRU? The SVR? Some other organization? You sure it wasn't China using Russian infrastructure. Just spitballing Jeff, but since you know so much, who exactly was it? Are you sure it wasn't an eastern european crime syndicate?

What are you basing your attribution on?

You are completely contradicting yourself. You started a thread about the FBI being denied access to the DNC's server. When I explained that was not really a big deal, you went off in another direction about the need to investigate other devices, all of which are separate from the server.

I can't believe that you actually wrote this:

"You confiscate all the infrastructure at the same time for examination."

So, you wan the FBI to seize an email server, potentially one or more file servers, potentially an entire cloud service, a firewall, router, any number of switches, an IDS, and who knows what else? That would shut the DNC down. Is that your actual goal? Moreover, firewalls and IDS and most security devices would be useless to investigate in themselves. What is actually important are the log files which are not stored on the devices themselves. Seizing a firewall would provide no benefit.

You have pretty much given away the fact that you don't have a clue about what you are talking and have never conducted an actual investigation into a network intrussion (or least not a credible one).

'm not contradicting myself. It's an incomplete investigation and everyone knows it. The DNC is stalling and stonewalling.

DNC is stonewalling with what ?? what do you know that all the American Intelligence agencies dont know? You probably watch too much fox news and you think this is a grand conspiracy of the "Deep State" and you are on this forum hoping that people will dignify your paranoia.


All American Intelligence agencies have reported that Russia hacked and tried to meddle with our elections, that is concerning enough to me as an American.
Wearing an American flag underwear for July 4th does not make your patriotic America putting country above party makes you a true American. You should be following the investigation and extending your full support to that no matter where it leads and no, the investigative committee has not said that DNC is stonewalling them. You got this information from some right wing conspiracy website and you are peddling your nonsense here.