Will Baggett - DFIR: Analyzing Voting Machines at DefCon

oh hi good morning well so everyone can hear me uh like she said I'm will Baggett I'm here to discuss uh the first time actually speaking live in a while so here we go first before we get too deep into this is anyone working digital forensics show hands one okay we'll keep it introductory level then we'll bag it uh used to work for the government I did human collection cyber collection uh director of digital forensics and advanced technology use for Operation Safe Escape we provide the domesticated domestic abuse victims a means to sever digital ties with their abusers sometimes it could be as simple as turning uh switch up on the iPhone where you're sharing your iMessages for my being located or returning your Siri off on your iPhone or even and I don't need to start this beach I really like this topic I can go pretty deep into it but uh just showing how simple it is to turn things off so you're not stocked and hacked we do a lot of forensic work with that I'm a cyber threat intelligence manager at a very well-known place if I'd mentioned who I was I'd have to get corporate concurrence legal and all that and take several years so we're not going to mention it one bit of corporate advice is if you do work digital forensics it's necessary for your mental health to rotate out do something different because of what you see whether it's fraud theft crime murder abuse terrorism it's not healthy to see that every day so right now I'm doing cyber threat intelligence there is an American sports coach and Nick Saban and he says he won't discuss politics because half of his fan base is going to disagree with him so he stays very neutral when it comes to discussing U.S voting laws elections and voting machines I'm taking the very same approach here because you need an impartial Observer down here I realize football is football not soccer as we call it back in the U.S we can all probably spend an hour two hours three hours day two days discussing how a blown call by biased referee cost our team a spot in the playoffs whether it's NCAA football whether it's World Cup whether it's hockey we've all seen that so we've got to be accurate so in digital forensics when we're examining voting machines we also want to be impartial report what we see report what we don't see and the reason why we didn't know this we're working at Defcon and when they say voting Village it's not you know collection of houses and Roads you know they're not throwing flowers out there there's not chickens it's a freaking conference room in a hotel suite so you've got just a suite of random machines that have been purchased people come in they look at them they start doing forensics they see them it is anyway the conference report as I start to examine this 2.5 billion people read the forensic write-up and Analysis of what we did after 2019. there was a lot of discussion but there wasn't discussion about we handled it improperly that's a bit of a point of pride and this hits home we thought that one juror resilient ticket for an incident of one possible intrusion by quackbot or a ransomware gang got 87 views on the corporate blog and the manager is happy 2.5 billion people read this and didn't find fault so that's not bad we need to have impartiality so enough of the legalese did I skip a step here believe I did I just killed it there we go more legally sorry so these voting machines we go through a process where Harry Hearst he's from Norway he's working with the US government also working for voting Integrity groups he'll buy the machines on secondary markets uh government auctions in the U.S you'll buy them from eBay there's one that he purchased for want to talk later on about the voting machine prototype from China which seems absolutely bizarre but there is a presidential candidate's family who want to help get more accurate voting results so they put their name on the voting machine Hari actually managed to get the device we've looked at that at Defcon that's what the bulk of this talk is about none of the devices are procured illicitly if we did find something that was improper and want to go forth with it but it had been stolen misleaded however is legal term to Fruit of the poison tree we couldn't do anything with it now theoretically speaking magic right theoretically speaking say you find the voting machines in use at Defcon at the uh the loading dock and you decide to prove that your candidate was robbed of the election and you steal the voting machine in Vegas you know where you've got security cameras every few feet walking your step from the front door to the loading dock carrying this box out and then a few minutes later you show up on the news of oh I found proof that this election was stolen there's all the facial recognitions you've not proven your case was fraudulent you've actually just committed a failing now you're going to jail the FBI is not interested in you for uh being the national hero you've just committed a pretty stupid crime not that that happened that didn't happen in 2022 in August didn't happen at all theoretically speaking so everything we've done is above board machines you can actually buy them on eBay if you want to but why would you want to touch on that in a second do these things are say old it's just we'll see so 2017 I left the government I'm doing independent Consulting I'm in Las Vegas for digital recovery e-discovery case I have my full toolkit with me and it's uh blacklight digital forensics kit for iOS iPhone you can't do some windows I have magnet Axiom I have a probably about fifteen twenty thousand dollars of gear on me you don't leave it in your hotel room even here at the conference I've got my presentation laptop here because it's my freaking laptop I don't want to lose it same thing in Vegas where crime is rampant so I keep it with me I was walking past the room I saw okay here's these voting machines I've got my kit of course it's always the last day of the conference I walked up to Hari and said I have this equipment not many other people at Vegas Defcon had it out of thirty thousand attendees he had a machine that hadn't been touched by other people which is key for the forensic process and I sit down and started examining it things got really familiar the machine he gave me it was about I want to say 128 Meg of a hard drive it had been put in service in 2000 2001 is running unpatched Windows XP the voting software itself was a 1997 Microsoft access database hard drive is unencrypted USB ports no security on those whatsoever so this is in 2017 this machine could drive it could be in high school be a senior this is an old machine that's never been touched that's good and that's bad it's never been connected to the internet it's only been used for one purpose is that unsecure I don't know start looking and the first thing I did was go to the log so ah they tell me this machine's never connected to the internet but there's an FTP log you can see there WS underscore FTP log so I pull strings and I can see that the files have been sent them access database files have been transmitted to FTP infocom.com that's interesting for a machine that never connects to the internet where are these files going so like a bad episode of American reality TV I phoned a friend uh one of my he's no longer there now but he worked at CNN as a researcher we looked up infocom or heated bandwidth there is terrible because they don't want you on your phones in Vegas they want you downstairs playing slot machines so they want you gambling they want you drinking and partying spending money not just sitting in your room scrolling on Tick Tock or whatever so cell service is terrible my friend sends me this back infocoms of company based out of Canada here's their IP address here's all about them but they don't mention they have anything to do with the voting system this is pretty interesting I get Hari the manager the leader of the voting Village the room supervisor and this ends up going in the Congressional report on the conference ends up going in uh New York Post so there I am going just working with an entertainment company they didn't pay me I'm not bitter about that working for an entertainment company to being interviewed by the New York Post for digital forensics I wasn't expecting that so the next year we realized okay this got a lot of attention this could go badly if we don't do this right we actually put a process in I don't like process even though I've had a career in government I don't like process all that I'm more of not a government employee really so we worked out a workflow terrible grammar I'm sorry we had examined the machines before the general public would come in they brought inscribes to document this from Georgetown law undergraduate students looking to work in government policy space we had very formal handling procedures on the machines I'll show you why in a minute now you've seen this part of it on the news the other part of what we did with the infocom log that wasn't on the news our process just like any other digital forensic process collection examination analysis and Reporting and from that we pivot back to see here's what we found what did we miss on the other machines uh Carson Schumer he's a name dropping to give him recognition a university Professor from Copenhagen was here he found that on the raw base image of the wind vote machines there is an mp3 from China for the voting machines were manufactured he recovered the MP3 of that Chinese machine we didn't find it anywhere else in the other machines but one but we now had to Pivot to say okay this is an anomaly is it been replicated the machines were from dozens of states that wasn't just one machine out of one Precinct and we'll you know see this but um the principle the perpetrator will bring something into a crime scene and leave with something from It generally so there was and I feel it's part of this but I feel ridiculous saying it there was a conspiracy going around that there was a satellite controlled by the Italians that had read write access to voting machines and that's how they were changing votes y'all there is no chip in a Windows XP from 2000. that has satellite comms with the Italians that's just not even freaking possible that but people get spun up and believe this so you would actually see where the software was installed you'd see the physical chip the conspiracy theories fall apart it's an old Windows machine so if someone comes in to upload software you're going to have the date time stamp of when the USB drive was inserted you're going to have the virus or the virus the software malware spyware ransomware whatever you want to call it you're going to see where that's applied that's not there even on the Apple iOS I had every file on the fort Cree is numbered so you can see if you know file number here here this one's missing there's that well what's missing your software you can undelete files or you can find was this file missing first pillar of forensic processing you don't change the evidence to be blunt that the whole justice system falls apart if the law enforcement agency can change the evidence to make it read what they need to for their case also going back you don't upload pictures of riftcastley and have uh the Rickroll video and claim that was only that's easy to show so people would do that if you have to examine this device you have to be competent either through experience through training whether it's through a Sans training course whether it's through vendor training course corporate training there has to be some modicum of training on this and you have to stay current before the pandemic we called it dead box forensics you would get a USB drive in the mail you would get a hard drive in the mail or you'd fly out I missed that you'd fly out to go image the device on site to see all the uh Hardware software issues were and fly back to your lab to go look at the evidence now with modern software you can actually have endpoint whether it's crowdstrike or druva remotely access the machine pull the registry and look to see what's changed but you have to know what you're doing to be trained well with this otherwise it's just code there needs to be an audit trail of what so happened so when you image this device I validate the hash everything is copacetic you need to be able to say if you're on the prosecution team the defense should be able to replicate the evidence you have there to prove that yes this came down a good example going back to Operation Safe Escape is whether it's Google takeout or whether it's Apple's data recovery for you have all your iMessages or all your Google data literally Google takeout keeps everything as much as I hate that from a Libertarian privacy point of view that's fantastic because it shows you know my client received these harassing text messages from this number that can be downloaded from Google that's an authoritative source as opposed to yeah here's a printout of a screenshot that can easily be photoshopped and manipulated that's a big thing on Twitter to have funny exchanges or reddit's anti-work or know your boss of all the things that never happened this never happened the most but pulling the chat logs down from Apple Google and having opposition look at it or the work we're doing at the voting Village to see where everything matches up it's authentic that's the goal we need lastly the person in charge of the investigation whether it's Hari Hearst overlooking the entire voting Village or whether it was me running the forensic effort we have responsibility to make sure that okay this device we're going to image has just been returned by this group of attendees who are examining well that's not following proper handling procedures they can have it they can look at it what we need it for is no longer valid because we would arrive at Defcon early before the crowds enter the Boating Village we would image the device I would damage it make a copy another person image it make a copy would validate the hash codes to make sure that these are accurate the hash codes y'all familiar with hash codes yes no maybe I don't know it's a digital signature of the file and it's fairly Impossible on higher level hashes to have identical it's like having identical grains of sand from the beach it's just not going to happen as long as these are identical the copy I'm working with you're working with and you're working with are all the same results should be similar we only work on copies of the backup so if we did find something that was truly damning The Originals off to the side another backup is here work if you're not third and fourth versions of the copies just in case because you never know what you're going to find so the processing again this is vendor agnostic because as the military says two is one one is none I've had cases where I'd image the hard drive the phone with black light and then image it with Axiom and then paraben and then run a 79 tool just on Lark from the Apple store and find recovered text messages that the big programs can recover so unless you've given it a better picture you don't know what evidence you're missing if you're only using one tool the better vendors will tell you validate our results with another tool large corporations would say we have one tool that's all we're paying for that's the one you don't want to work for because if you can't validate the accuracy of your work you don't need to sign that document legally to say I put my name my reputation online saying this is accurate if I can't validate it we would do three things we'd write to DMG file on a Mac if this was what I was teaching uh cyber issues to NATO's facial forces we would stop here we'd actually go through the steps on how to create a dng file in a Mac a virtual hard drive in Windows of course copying the external media that I think that's probably going away now it seems like external media is Vanishing but we would do this that way we can copy the containers to the media and then have it shared easily whether you're in the war zone sharing the files or just sharing the Defcon it's a good standard practice everything is made in a read-only format we use these tools autopsy blacklight and magnet axing for data analysis we'd use black lights and acquisition ftk imager to acquire the files to image it in redripper to go through the registry to see the last files open what's been loaded that we didn't we're unaware of in disk drill was a fairly inexpensive program it does file on deletions it's recovered better data than a lot of the five figure programs so here you can see we're actually using black light before they're purchased by celebrite and they went for 700 a year of a license to thirty thousand dollars it's not worth it I don't think y'all are watching but it's not worth it so we would copy it and this is why we had the hard standards and controls this is what you see on the news CNN Fox news CNBC BBC whatever oh wow they hacked no you didn't freaking hack it you copied Rick Astley from your thumb drive and put it on a machine that's not hacking it's Ctrl C that's control V that's more thread into I shouldn't say that either that's why we have standards and controls after we damage it this is what disc drill looks like it shows all the deleted files we look and see if there's anything unique in there one of the common things now from nist.gov is they have salt files you can go through they've collected all the common files for the operating systems the hash values so you can remove the known good files and only look at the anomalies and this is also why we have to do it properly this is the end result that they didn't look at how the sausages being made they didn't look at the forensic evidence they didn't look at the proper handling we see there's all the Glorious computer science we were doing they went for the meme which okay whatever a friend sent me a screenshot that we actually made the last Defcon before covid hit we actually ended up there this is why we have hard rules going through this a little bit you can see we actually have to crack the hard drive apart these are not machines I mentioned earlier theoretically that if you're going to take one and walk through a casino you're not smuggling this in your backpack that's a huge machine also Imaging takes a while so I think two iced coffees and a Mountain Dew Express with extra caffeine to try stay awake through the process this looks like it came out of the set of Mandalorian or 1977 Star Wars on a sandcrawler buddies this is still in Houston Iowa by the way it has a 10 horsepower motor to pull the paper why you need that much horsepower to pull sheets of paper for not making experiment I don't know but that's what they've got you have a waterproof port for dhcd programming why I don't know the entire hard drive is written in a the operating system is written a variant of a Blackberry operating system all clear text so again once you actually found the adapter to go zip disk to something you could actually read wasn't too bad but finding these esoteric Parts you feel like you're going back in time most of them rely on compact flash cards the one boat machines you've heard about a lot on the news the data is written here so this is it this is what people say has been hacked it's a flash card when's the last time are maybe all still using compact flash cards no and Beyond compact flash cards they were just flash cards which are different if you put a compact flash card in a flashcard reader you're going to destroy the reader Source trust me there used to be a large electronic store in Vegas fries before Amazon killed it we'd have a shuttle going from Defcon to fries to pick up the parts we need for these ancient machines so this is another windows XP NT system running on a compact flash card that we would image put in yo