What you should know about the Arizona audit By: MeghansUncle2

A Bit About Digital Forensics

 Digital forensics is a vast sea of hardware, software, and wetware (a technician’s knowledge) techniques that are used in concert to enable the collection, preservation, classification, evaluation, and reporting of any form of digital media.  Right now, I am talking about hard drives, but you can apply these techniques to cell phones, routers, thumb drives…  Just about anything that pushes electrons in a meaningful way, and in some cases, logs that activity.

The forensics to which Ken Bennett was referring with respect to hard drives, was the collection of all data from the hard drives in question.  That must be done in a way that preserves every bit of information on the drive to ensure the integrity of the data being audited.

The copies that are taken of the drive must be identical to the original or the audit is not valid and must be performed again. The copy is compared to the original at the completion of the audit as well to ensure the integrity of the audit.  Comparison is done on the hash values of the image and original drive.  Here are the steps that a forensic technician must take.

1)      A computer is attached to the drive to be copied with what is known as a write-blocker attached between the computer and the hard drive.  The write-blocker ensures that nothing modifies the source drive.  This is critical.

2)      A hash is taken of the hard drive.  This is an alphanumeric (hexadecimal) representation of the sum of the bits of the hard drive.  It is sometimes described as a fingerprint.  There are techniques to change data and arrive at the same hash, but it is complex, so there really is no concern that this will occur because there would be no time given a proper chain of custody. This fingerprint will guarantee that exact copies are indeed just that.  This ensures data INTEGRITY, which is the primary goal of the data collection process.

3)      An image of an exact copy bit-for-bit of the hard drive is made and placed on the forensic computer.

4)      A hash is taken of the hard drive image and placed on the forensic computer.

5)      The hashes are compared.  If they are not exact, the technician must start over.

6)      A copy of the hard drive image, and the hash value are encrypted and put in a secure location preserving chain of custody to maintain the integrity of the data.

7)      The same is done to the original drive.  Tamper proof tape is usually applied to all drives, or drive containers, involved.

Then the forensics analysis begins.  This can be a lengthy process and gets more time consuming as the requirements for collection are increased, the time involved also increases somewhat as the data to be examined increases.  There are tools to make this job easier and ensure data integrity, but there is also a lot of labor-intensive sleuthing to do.

Integrity of the physical media (the paper ballots etc…)

 This is a much easier and more straightforward process.  Every scrap of paper must be analyzed and recorded.  Digital copies may be taken for later reference.  Physical photocopies may be made, if necessary, but care must be taken to ensure that the original is not damaged or altered in any way.  The originals should be returned to their original storage in the reverse order that they were removed where possible to preserve the original state of the papers.  Sometimes this is not possible, and any deviation must be documented.

If any machinery must be taken apart to perform an audit function, it should be returned to the condition that it was in when received where possible.  Obviously, hard drives or any digital media will not be returned until all need for audit findings are satisfied.  In some cases, a copy can be returned to enable the equipment to be returned to its owners and continue to be used.  But only if there is not any forensic value in the machines that must be preserved and returning the equipment would make that impossible.  An example might be a memory cache that is nonvolatile but cannot be removed from a device without rendering it unusable.

I hope the reader begins to envision the enormous task that forensic analysis seeks to accomplish.  This is, in part, why after everything collected and counted, more time is needed to analyze the collected data.

This was the struggle of all three of the auditors giving testimony on 7/15.  They don’t actually have much yet in the way of findings that they can discuss because the forensic investigation is not done.  They were limited in what they could say past reciting the numbers and noted discrepancies and irregularities of the data and paper that they had access to so far, and giving layman definitions of the process, procedures, and methodologies of the work performed, and to be performed.

All of the above said, what the auditors did reveal was a tantalizing and damning view of the data and paper counted to date.  The counts of duplicates were equally interesting, and disturbing.  They hinted at systematic copying and tabulation of ballots.  Equal amounts of duplicate ballots in the hundreds for multiple ballots according to one slide, suggesting that a set of ballots were copied hundreds of times.  It remains to be seen whether the ballot copies were tabulated, but common sense tells us there is no legitimate reason to copy a single ballot 200 times, much less many of them.

There were also many instances of irregularities in the ballots such as mail in ballots received after the cutoff, and ballots from voting centers for voters no longer living in that area, which should not be allowed.  There were a couple more that I do not recall now, but the numbers of these irregularities were not trivial, they were outcome-altering numbers.

Be patient everyone.  All of this is very encouraging, but it takes time to get it right.  Something the AZ IT folks obviously did not do.

 

Link: Audit Hearing