I called up Thomas Rid, professor of strategic studies at Johns Hopkins University’s School of Advanced International Studies to help explain the technical details behind this type of forensic investigation. Rid, who wrote a detailed explanation about why Russia was likely behind the DNC hack for Motherboard in July 2016, told me that “from a forensic point of view, the question of a server at this stage doesn’t make any sense.”
“To really investigate a high profile intrusion like the DNC hack, you have to look beyond the victim network,” Rid said. “You have to look at the infrastructure—the command and control sites that were used to get in that are not going to be on any server ... looking at one server is just one isolated piece of infrastructure.”
"For decades, it has been industry-standard forensic and digital evidence handling practice to conduct analysis on forensic images instead of original evidence"
Even so, what CrowdStrike gave the FBI is likely better than if it had seized and analyzed a physical box.
“To keep it simple, let’s say there’s only one server. CrowdStrike goes in, makes a complete image including a memory dump of everything that was in the memory of the server at the time, including traffic and connections at the time,” Rid said. “You have that image from the machine live in the network including its memory content, versus a server that someone physically carries into the FBI headquarters. It’s unplugged, so there’s no memory content because it’s powered down. That physical piece of hardware is less valuable for an investigation than the onsite image and data extraction from a machine that is up and running. The idea a physical server would add any value doesn’t make any sense.”
What Rid means is that after a hack, some of the evidence of who did it and how they did it may be fleeting. It could be in the server’s memory, the RAM, and not stored on its hard drive. (Hackers use “fileless” malware precisely for this reason.) To preserve evidence in cases like these, incident responders need to make an image—essentially a copy of the server in that exact same state at that exact same time—so they can look at it afterwards. Think about this like when investigators take pictures of the crime scene or victim.
Lesley Carhart, principal threat hunter at the cybersecurity firm Dragos, told Motherboard that physical servers are rarely seized in forensics investigations.
"For decades, it has been industry-standard forensic and digital evidence handling practice to conduct analysis on forensic images instead of original evidence," she said. "This decreases the risk of corruption or accidental modification of that evidence."
I asked Rid if he thought it was suspicious that the DNC did not hand over the actual server to the FBI, and he said “no, not at all.”
“There’s nothing suspicious about the DNC’s behavior,” he said. “There were political reasons and skepticism on the part of the DNC to let the FBI have full visibility into what they do for various reasons during an ongoing election campaign.”
Rid likened any computer forensics investigation to that of a military planning campaign, sort of like a map. “You can connect the dots and the behavior,” he said. “You can show whoever hacked John Podesta also attacked the DNC, and also attacked Jake Sullivan, who worked for Hillary Clinton, and hundreds of other people on the campaign.”
"The evidence that we have going back to before the Mueller indictment was published was already overwhelming"
Robert Mueller’s indictment relies on information that goes far beyond any single server to tie the Russians to the hack. For example, the indictment states that Russian military agents’ search histories indicated an interest in the DNC network in the weeks leading up to one of the hacks; it also has specific information about the development of malware (called X-Agent and X-Tunnel) used to surveil DNC employees and exfiltrate data from their computers, as well as specifics about the types of spearphishing attacks Russians allegedly launched against DNC employees. The indictment also has information about an Arizona-based server that the Russians leased to filter data through.
Some of that information would have had to have been obtained by examining DNC networks (or a copy of them), while some of the other details would have nothing to do with the DNC’s networks, its servers, or computers. Rid says that security researchers outside of the US government have been investigating Russia’s involvement in the hack for years (the details Rid published in 2016 are very similar to what was published in Friday’s indictment.)