A server can be cleaned up to eliminate things or add things to meet a desired goal then copied…
Louis Weeks

“A server can be cleaned up to eliminate things or add things to meet a desired goal then copied hiding those steps to add or subtract, the original would show those signs, a copy would not.

Anyone in the field can tell you that.”

Then find me a person in the field and prove it. I already cited my source in my reply to O’Neil:

“Once incident response has been conducted, the crucial evidence can be handed over directly to officials without politically tricky questions of broader access. We don’t know exactly what CrowdStrike handed over (the company declined to comment), but that data can range from full disk images to an edited digest of suspicious files and logged connections. If CrowdStrike did image the server, any subsequent analysis would simply be confirming that the firm hadn’t screwed up.
Law enforcement groups sometimes do double-check that data, but it’s unlikely to change the attribution itself. Even if CrowdStrike wanted to skew the results toward a particular party, the FBI would be able to check their work against data pulled directly from the network. “The IC would certainly be able to check the malware and associated technical data recovered from the DNC network themselves,” says Tait. “The FBI may be reliant on CrowdStrike to find malware on the DNC network, but they are not beholden to CrowdStrike’s analysis.”
We also know that the FBI suspected Russian involvement in the DNC breach long before CrowdStrike got involved. According to the Times’ recounting, the first contact between the FBI and DNC came in September 2015, a full seven months before CrowdStrike was contracted. The Times article doesn’t detail exactly what tipped the FBI off to the breach, but it’s fair to assume it was some version of the threat-sharing systems used at NCCIC and similar centers. Even in September, the FBI saw Russia as the prime suspect, tying the intrusion to a group of malware tools previously identified by F-Secure. While the FBI ultimately came to the same conclusion as CrowdStrike, it did so with far more information, drawing on data only federal law enforcement would have access to.”

If the server were the only piece of evidence, your comment would make sense. But it’s not. And the copy they have comports with evidence they gathered in 2015.

Like what you read? Give Eve Moran a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.