CyTech CyFir #2 (Anonymous Remote Logons On Key Dates) (060821)
CyTech CyFir #2 (Anonymous Remote Logons On Key Dates) (060821)
CyTech CyFir #2 (Anonymous Remote Logons On Key Dates) (060821)
WILLIAM BAILEY
v.
Defendant,
Intervenor-Defendant,
I, Ben Cotton, being duly sworn, hereby depose and state as follows:
1) I am over the age of 18, and I understand and believe in the obligations of an oath.
I make this affidavit of my own free will and based on first-hand information and my own
personal observations.
Professional (MCP), Network+, and Certified CyFIR Forensics and Incident Response
Examiner.
forensics and incident response. This experience includes thirteen (13) years of experience
teaching students on the Guidance Software (now OpenText) EnCase Investigator and EnCase
Enterprise software.
6) I have testified as an expert witness in state and federal courts and before the
8) In connection with this legal action I have had the opportunity to examine the
following devices:
2
b) Thirty-eight (38) forensic images of the compact flash cards used in
Antrim County during the November 2020 elections that were imaged on 4 December
d) Two (2) thumb drives that were configured for a precinct using the ES&S
DS400 tabulator that were used during the November 2020 election.
e) One ES&S server that was used in the November 2020 election.
9) Internet Communications with the Dominion ICX. I examined the forensic image of a
Dominion ICX system utilized in the November 2020 election and discovered evidence of
was the presence of the IP address 120.125.201.101 in the unallocated space of the 10th partition
of the device. This IP address resolves back to the Ministry of Education Computer Center, 12F,
proximity to data that would indicate that it was part of the socket configuration and stream of an
TCP/IP communication session. Located at physical sector 958273, cluster 106264, sector offset
256, file offset 54407424 of the storage drive, the unallocated nature of the artifact precludes the
exact definition of the date and time that this data was created. Also located in close proximity
to the Ministry of Education IP address is the IP address 62.146.7.79. This IP address resolves to
3
Figure 1-IP Addresses Located in Unallocated Space
Further examination of the ICX clearly indicates that this system is also actively configured to
10.114.192.12 and 10.114.192.25. Also apparent is that at one time this system was configured
to have the IP address 192.168.1.50. This IP address is also a private IP range. These IP
configurations and artifacts definitively identify two things, 1) the device has been actively used
for network communications and 2) that this device has communicated to public IP addresses not
located in the United States. Further analysis and additional devices would be required to
10) ESS DS400 Communications. A careful examination of the ESS DS400 devices and
thumb drives was conducted. This examination proved that each DS400 had a Verizon cellular
wireless communications card installed and that the card was active on powerup, which meant
that there is the ability to connect to the public internet on these devices as well. Both of the
DS400 devices were configured to transmit election results to IP address 10.48.51.1. This is a
private network, which means that it would only be accessible by the remote DS400 systems
through leveraging the public internet and establishing a link to a communications gateway using
a public IP or via a virtual private network (VPN). It is important to understand that this
4
communication can only occur if the cellular modems have access to the public internet. I did
not have the entire communications infrastructure for the private network and given this lack of
device production associated with the DS200, I cannot say which other devices may have
connected to this private network nor the full extent of the communications of nor the remote
11) Contrary to published guidelines and best practices for computer security, a single
ICCUSER02, and emsepsuser. These passwords were never changed from the time that they
were created. There were two local administrative accounts that did not have a password. The
security impacts of shared passwords and no passwords on computer security is well documented
and dramatically increases the risk of unauthorized access. It is inconceivable that a system
would have shared passwords or null passwords and still meet accreditation standards.
12) Contrary to published guidelines and best practices for sensitive systems, the hard disks
on the Antrim EMS were not encrypted. This failure to follow best practices increases the
vulnerability of the voter data and facilitates the easy of access to sensitive data for unauthorized
13) Microsoft SQL Authentication was Set to Authenticate to Windows User Mode.
This is a significant breach of sound practice for accessing the Microsoft SQL server. Simply
put if an unauthorized user gains access to the system, that unauthorized user would have
complete access to the Microsoft SQL server at the level of the compromised user. Given that
the administrative accounts for the Antrim EMS server either used a shared password or did not
have a password, full access to the SQL server would have resulted, exposing the contents of the
5
14) Out of Date Security Updates and Virus Definitions. An analysis of the operating
system and antivirus settings on the servers and computers provided to me was conducted. It
was immediately apparent that these systems were extremely vulnerable to unauthorized remote
access and manipulation. For example, none of the operating systems had been patched nor the
antivirus definition files updated for years. The Antrim EMS operating system was last updated
on 04/10/2019. Furthermore when the operating system was updated on 4/10/2019 the user did
not apply the most recent patches, instead used a the 10.9.1 patch which was already 15 patches
behind at that point in time. It is important to understand that these patches are critical to fixing
vulnerabilities and protecting the system from unauthorized access. The fact that the operating
system was not fully patched increases the dependency on the endpoint antivirus to protect the
system. In this case however, the antivirus definitions were even more outdated than the
operating system. The Antrim EMS was leveraging Windows Defender as the antivirus. The
Windows Defender antivirus definition files were last updated on 7/16/2016. Given that this
date matches the operating system installation date, the Windows Defender antivirus definitions
had NEVER been updated after the system was installed. The other systems were in a similar
state. This lack of security updating and basic cyber security practices has left these systems in
an extremely vulnerable state to remote manipulation and hacking. Since 2016 more than ninety
seven (97) critical updates have been issued for the Windows 10 operating system to prevent
unauthorized access and hacking and weekly updates have been issued for the Windows
Defender antivirus program. The fact that these systems are in such a state of vulnerability,
coupled with the obvious public and private internet access, calls the integrity of the voting
systems into question and should have negated the system accreditation.
6
15) The Antrim EMS Server was Remotely Logged Into by Anonymous Logon. The
Antrim EMS failed to maintain windows security event logs before 4 November 2020.
Consequently a full user logon activity analysis was not possible to perform. However, within
the logs that were present on the system there were at least two successful logins to the EMS
server by an Anonymous user. The first occurred on 11/5/2020 at 5:55:56 PM and the second
occurred on 11/17/2020 at 5:16:49 PM EST. Both of these logons appeared to have escalated
privileges at the time of logon. Given that this computer was supposed to be on a private
network, this is very alarming. One would expect that any network logon, if authorized by the
accreditation authority, would require specific usernames and passwords to be utilized, not
anonymous users. Given the vulnerable state of the operating system and antivirus protections,
this apparent unauthorized access is particularly alarming and certainly would not have been
16) Opposing Counsel’s Expert Validates the Weak Security Findings. The Halderman
report dated March 26, 2021 relating to this matter validates these findings. It also validates that
the system is in a state such that an unauthorized user can easily bypass the passwords for the
system and database to achieve unfettered access to the voting system in a matter of minutes.
These manipulations and password bypass methodologies can be performed remotely if the
unauthorized user gains access to the system through the private network or the public internet.
17) Incomplete Compliance with the Subpoena for Digital Discovery. Antrim County has
apparently failed to produce all of the voting equipment for digital preservation and analysis. I
examined the purchase documents produced by Antrim County with respect to the purchase of
the Dominion Voting system and note that the following system components listed on the
7
(a) ImageCast Listener Express Server
Without these additional items and system components it will be impossible to determine the
extent of public/private communications and the extent to which the proven anonymous remote
access to the voting system components may have impacted the Antrim EMS databases and
election results.
SIGNED UNDER THE PAINS AND PENALTIES OF PERJURY THIS 8th DAY OF
June 2021.
_________________________
Benjamin R. Cotton