From 2015 through 2016, during the run-up to the presidential election, certain cloud servers used by the Democratic National Committee (DNC) were attacked and infiltrated by advanced persistent threat (APT) actors from Russia. This resulted in the release of thousands of DNC e-mails and what now is called “Pizzagate”—the unfounded allegation that Democrats were operating a child pornography (Cheese Pizza) ring out of the basement of a D.C. pizzeria (which, of course, has no basement). When it became aware of the breach, the DNC alerted the FBI and retained forensic investigators from Crowdstrike to investigate. That is pretty much what victims of hacking do: They alert law enforcement and conduct their own forensic investigation.
Crowdstrike, for its part, did what forensic investigators do when there’s a data breach: They followed standard data collection and forensic protocols, collected log data and other data and provided it forensically to the FBI and other law enforcement agencies. Sometimes in such cases, the forensics are done by the FBI or other law enforcement agency, but more often than not, it’s done by a third-party forensics entity using the same or similar tools to what the FBI would do. Chain of custody, forensic tools and other precautions typically are taken to ensure that the data is usable after the fact.
However, in our hyper-partisan environment, the fact that Crowdstrike and not the FBI conducted the forensic investigation has, in some circles, evolved into a conspiracy theory and scandal. The allegation goes that the DNC deleted log files, didn’t share information with law enforcement and made things up. The conspiracy theory is fueled by the fact that the DNC essentially “trashed” (that is, that it abandoned and rebuilt) the infected cloud servers—to keep the Russians out. Clearly, they must be hiding something, right?
To forensic professionals, there’s really nothing to see here. It’s all pretty much standard incident response and data recovery stuff—especially on the cloud. The forensic rule of thumb is, “Delete doesn’t and restore won’t.” Crowdstrike provided all of the data to the FBI, which was primarily responsible for the investigation—again, standard stuff.
In the July call between President Trump and Ukrainian President Volodymyr Zelensky, Trump brought up the Crowdstrike investigation. He implored his Ukrainian counterpart: “I would like you to do us a favor though because our country has been through a lot and Ukraine knows a lot about it. I would like you to find out what happened with this whole situation with Ukraine; they say Crowdstrike … I guess you have one of your wealthy people … The server, they say Ukraine has it. I think you’re surrounding yourself with some of the same people. I would like to have the [U.S.] Attorney General [William Barr] call you or your people and I would like you to get to the bottom of it.”
To employ a legal term, WTF?
Trump is suggesting that there is some server in Ukraine that has some information that the U.S. Department of Justice (DoJ) is seeking for some investigation. Now, if what he is saying is that the DoJ is investigating the source of the Russian hack (attributed by Crowdstrike to two Russian hacker groups named “Cozy Bear” and “Fancy Bear” and likely associated with the Russian GRU), under the 1999 U.S./Ukraine Mutual Assistance Legal Treaty (MLAT) then it’s just bizarre, since those requests typically come from what the treaty calls the U.S. “Central Authority” defined as the Attorney General. But, OK, the president is merely asking the Ukrainian Minister of Justice to cooperate with the U.S. Central Authority on probing Russian interference in the U.S. election, right? If so, what’s with the “server”?
You see, there’s a conspiracy theory, adopted by the President of the United States, that there’s a “missing DNC server.” As Rolling Stone described the theory:
On the far-right fringes, however, a conspiracy theory formed that Crowdstrike was somehow part of a Deep State plot to wrongly blame Russia for the DNC hack. This theory claims that because the DNC and Crowdstrike didn’t give the FBI the ‘server’ that was hacked, that was evidence of a cover-up. In Trump’s regurgitating of this theory to the Ukrainian president he also seemed to suggest that the DNC server in question had ended up in Ukraine because, as Trump has falsely claimed, Crowdstrike has Ukrainian owners.
Another theory (espoused in court by Roger Stone) is that there was no Russian hack of the DNC at all and that Crowdstrike manufactured forensic evidence to make it look like the Russians were interfering with the election. It was these allegations that the president was asking a foreign leader to investigate.
First things first. CrowdStrike’s chief technology officer (and co-founder) is a Russian-born U.S. citizen named Dmitri Alperovitch and he is Ukrainian. He happens to be a senior fellow at the Atlantic Council, and the Atlantic Counsel gets some of its funding from a foundation run by a Ukrainian billionaire Victor Pinchuk. And, for the piece de resistance, Pinchuk gave money to the Clinton Foundation. So if you have your photographs up on the wall, and your red string, this means that the Crowdstrike “investigation” was fabricated. Got it? Oh, and the term “cheese pizza” really means “child pornography.” Sheeple!
So, the President was NOT asking his counterpart to investigate a crime by Russia. No, he was sure that there was no crime by Russia; the DNC, Crowdstrike, the FBI and others were attempting to make it seem like the Russians were hacking the DNC to help his election; and he wanted the Ukrainian president to help him prove it and thereby to help win re-election. Again, are you following along?
But what about the “missing server?” I mean, isn’t it suspicious that the DNC did not let the FBI take the original server? That the organization used Crowdstrike to make images and got rid of the original server? Clearly, there’s something fishy going on there.
In fact, the President has previously implored: “You have groups that are wondering why the FBI never took the server? Why was the FBI told to leave the office of the Democratic National Committee? I’ve been asking it for months and months. Where is the server? I want to know where is the server and what is the server saying?” As Laugh-in comedian Artie Johnson would say, “veeery interesting.” On the other hand, President Trump might be referring to Hilary Clinton’s personal email server maintained at her New York residence, from which she stated she had deleted personal emails and which then-candidate Trump implored Russia in July 2016: “Russia, if you’re listening, I hope you’re able to find the 30,000 emails that are missing.” Perhaps Mr. Trump thought that these emails were on some server in Ukraine.
Now those of us in the forensic community understand (well, most of us do) that, particularly when it comes to the cloud, data rarely resides on “a server.” In fact, as a result of the hack, the DNC ultimately imaged and then decommissioned more than 140 servers and hundreds of individual PCs. The images were provided to the FBI, which again is standard forensic procedure. Crowdstrike, under the direction of the DNC, provided the FBI with disk images, memory dumps, network logs, IDS/IPS logs, endpoint management logs and other relevant data. Like the company typically would do.
Putting politics (and conspiracy theories) aside, it’s really not unusual for entities that suffer a data breach to have a forensic company conduct an investigation, collect data, image drives and provide the results to law enforcement. It’s not unusual to rebuild infected machines, especially if they were infected by an APT. You hire forensic investigators (rather than relying on the FBI or other law enforcement) so you can control the investigation, so you can be kept advised of the status and scope of the investigation, so you can protect data you don’t want disclosed (e.g., privileged information without waiver) and so you can decide what information to give voluntarily to law enforcement. You do that to protect the privacy of your employees, donors, customers, clients, contractors, etc., and so you can make an informed decision about what to do next. But you do it in a way that preserves the integrity of the data. And you work with law enforcement to keep them advised of what you are doing. It appears that’s what happened in the case of Crowdstrike, and the FBI noted that it got all of the information it needed and the forensic copies of data it received were a perfectly “adequate substitute” for access to the original data. And, there ain’t no “server.”
Which leads back to the question of what exactly President Trump was asking President Zelensky for? And on that one, your guess is as good as mine.