Donald Trump turns to right-wing conspiracy theories when he’s cornered, and he was cornered on Monday. Standing feet away from Vladimir Putin at a press conference following their Helsinki tete-a-tete, a reporter challenged Trump to condemn Putin for Russia’s election interference, “in front of the world.” Instead, the world watched as the president of the United States took Putin’s side against his own Justice Department and his own intelligence agencies, and launched into a rambling discourse about Hillary Clinton’s emails and a supposedly missing DNC server that hides the truth about Putin’s innocence.
“You have groups that are wondering why the FBI never took the server. Why didn’t they take the server? Where is the server, I want to know, and what is the server saying?”
The server is saying shut up.
The “server” Trump is obsessed with is actually 140 servers, most of them cloud-based, which the DNC was forced to decommission in June 2016 while trying to rid its network of the Russian GRU officers working to help Trump win the election, according to the figures in the DNC’s civil lawsuit against Russia and the Trump campaign. Another 180 desktop and laptop computers were also swapped out as the DNC raced to get the organization back on its feet and free of Putin’s surveillance.
But despite Trump’s repeated feverish claims to the contrary, no machines are actually missing.
It’s true that the FBI doesn’t have the DNC’s computer hardware. Agents didn’t sweep into DNC headquarters, load up all the equipment and leave Democrats standing stunned beside empty desks and dangling cables. There’s a reason for that, and it has nothing to do with a deep state conspiracy to frame Putin.
Trump and his allies are capitalizing on a basic misapprehension of how computer intrusion investigations work. Investigating a virtual crime isn’t a like investigating a murder. The Russians didn’t leave DNA evidence on the server racks and fingerprints on the keyboards. All the evidence of their comings and goings was on the computer hard drives, and in memory, and in the ephemeral network transmissions to and from the GRU’s command-and-control servers.
When cyber investigators respond to an incident, they capture that evidence in a process called “imaging.” They make an exact byte-for-byte copy of the hard drives. They do the same for the machine’s memory, capturing evidence that would otherwise be lost at the next reboot, and they monitor and store the traffic passing through the victim’s network. This has been standard procedure in computer intrusion investigations for decades. The images, not the computer’s hardware, provide the evidence.
Both the DNC and the security firm Crowdstrike, hired to respond to the breach, have said repeatedly over the years that they gave the FBI a copy of all the DNC images back in 2016. The DNC reiterated that Monday in a statement to the Daily Beast.
“The FBI was given images of servers, forensic copies, as well as a host of other forensic information we collected from our systems,” said Adrienne Watson, the DNC’s deputy communications director. “We were in close contact and worked cooperatively with the FBI and were always responsive to their requests. Any suggestion that they were denied access to what they wanted for their investigation is completely incorrect.”
The FBI declined comment for this story, but in testimony before the House Intelligence Committee last year, then-director James Comey said that Crowdstrike “ultimately shared with us their forensics.”
At that same hearing, Comey complained that the DNC didn’t give the FBI direct access to the DNC’s servers. It’s unclear why Comey wanted the FBI operating on the DNC’s live network, but if the DNC demurred it wouldn’t be an unusual call, particularly five months before election day.
“The FBI is looking to investigate and prosecute crimes, and we’re looking to return a system to operation as quickly as possible with minimal impact,” said Rendition Infosec’s Jake Williams, one of several incident response professionals interviewed for this story. “I can tell you honestly that had I been part of that incident response, I would not have advocated calling in the FBI. Every minute the FBI spends keeping the actors in play, that’s a minute I don’t get back in prepping for the election. I would absolutely have shared images with them.”
Kenn White, a security expert and former DHS adviser, agreed that the FBI wouldn’t have expected direct access to DNC’s computers, “The FBI had one of the best cyber security firms in the world giving them forensics, and going in depth and reverse engineering to the byte level these implants and turning it over.”
In some versions of the servergate conspiracy theory now espoused by Trump, nothing less than physical possession of the hardware will suffice, because Crowdstrike, a respected security firm helmed by a former senior FBI agent, might be part of the deep state’s efforts to frame Putin. White scoffs at that notion, noting that National Republican Congressional Committee is one of Crowdstrike’s customers.
“I’ve done incident response for defense contractors and healthcare groups, this is all standard practice,” said White. “It’s completely defensible in terms of best practices and what was going on.”
It’s also consistent with the Department of Justice’s electronic evidence manual, which recommends capturing images when practical even when the FBI is executing a search warrant against a uncooperative suspect. When the computers belong to a cooperating victim, seizing the machines is pretty much out of the question, said James Harris, a former FBI cybercrime agent who worked on a 2009 breach at Google that’s been linked to the Chinese government.
“In most cases you don’t even ask, you just assume you’re going to make forensic copies,” said Harris, now vice president of engineering at PFP Cyber. “For example when the Google breach happened back in 2009, agents were sent out with express instructions that you image what they allow you to image, because they’re the victim, you don’t have a search warrant, and you don’t want to disrupt their business.”
There’s a final bit of evidence that the FBI got what it wanted from the DNC, and it was filed in the U.S. District Court in Washington, D.C. last Friday: 29-pages of inside details showing exactly how and when the GRU’s hackers moved through the DNC’s network on their mission to help Trump.
If the president really wants to know what the DNC server is saying, it’s all in the indictment against Putin’s hackers. He just has to listen.