The Maricopa County Audit continues today, this as the forensic audit team is speaking out against a barrage of mainstream media reports which reported that the databases directory was never deleted.
Ben Cotton, who is the founder of CyFIR – a national level forensics company that has worked in both the private and government sectors – made a statement via the Arizona audit’s Twitter page saying,
“My testimony on May 19th before the AZ Senate is being taken out of context by some media outlets. To confirm: the “Databases” directory on the EMS Primary Server containing the voting databases -WAS deleted. I was able to recover the deleted databases through forensic data recovery processes. We are performing data continuity checks to ensure that the recovered databases are usable.”
So, according to Cotton, the ‘D’ drive of the EMS Primary Server was in fact deleted. However, because of his extensive experience in the forensics field, he was able to recover the deleted files which is exactly what he said at the Arizona State Senate hearing on the 19th
“Did you determine that the D drive was deleted?”
“I did. We follow a very strict forensics acquisition process in which we don’t turn on a system if its delivered powered off. We remove the hard drives and perform forensics imaging with write locks on to prevent any changes to those hard drives. We produce a bit for bit forensics copy of that drive. In the case of the EMS servers, there were 6 drives. 2 drives were for the operating system and they were (unintelligible) configuration. So if something was changed on the operating system drive that would automatically be reflected on both drives. The other four drives were data drives and they were in a ray configuration known as 1 plus zero. So you have a volume that is mirrored but also data redundancy and striped across both drives. If I don’t turn on a system I don’t have access to the ray parameters and the county did not provide those to us. so I had to do a discovery process to determine what that ray configuration was. Part of that process is a scan across those drives to detect partitions of data and to also detect a master file table which is a record of all of the directories of the files that are contained in that partition, and a pointer to where that data resides on the hard drive. In the course of performing that discovery, I found that an MFT that clearly indicated that the database directory was deleted from that server. All of this may be moot because subsequently I have been able to recover all the deleted files and I have access to that data.”
However, because of the misinterpretation of Mr. Cotton’s statements by numerous media outlets and the Maricopa County Board of Supervisors an attorney for the board sent a letter to the Arizona State Senate threatening to sue over what they call false claims about the deleted directory. In addition, the letter directed the senate and the forensic auditors to preserve any records related to the audit including emails, text messages, computer files, cellphones and other devices.