ThreeSevens (@threesevens)

Some highlights from Ben Cotton, CEO of CyFIR: - Federal law requires election data to be preserved for 22 months following an election. "Maricopa County failed to preserve the operating system security logs" within the required timeframe. - The system had 2 bootable drives, which is not an approved configuration. - More than 85,000 files were deleted between October 28 and November 5th, 2020 and more than 1 million files were deleted between November 1st 2020 and March 16th 2021. - A script was run multiple times to intentionally overwrite the security logs, including the day before the auditors received the system. They have the screenshots of the people who were at the machines at the times the machines were tampered with. - Maricopa County's system had a single password for all users and administrators. The password was created on system initialization and was never changed. - There were hundreds of anonymous logins including remote logins. - Remote Access, Terminal Services, and IPV6 were enabled on the EMS server. 59 ports open on boot with high port listening activity. When booted, the EMS System attempted to connect to the internet, despite the County's claims that the system does not connect to the internet. - The County's auditors claimed they found no internet history, but CyFIR found significant internet history in unallocated disc space. - One EMS system connection to the internet happened on February 1, 2021, which coincides with the beginning of the audit and a purge of thousands of files.