The CyFIR Report on Friday showed the digital findings from Maricopa County’s forensic audit of the 2020 election. Founder Ben Cotton and his team allegedly found instances of cybersecurity breaches and malfeasance on the part of Maricopa County. Cotton remarked at one point in his presentation, “The election was neither accountable or secure.” 

CyFIR’s founder, Ben Cotton, is no stranger to the world of digital forensics. “A technical visionary and pioneer in Cyber Security and Computer Forensics for the U.S. Government and the SOCOM,” Cotton’s bio states:

“[Mr. Cotton is a] twenty-one year veteran of the US Army, Special Operations Command (SOCOM). Mr. Cotton served in both unclassified and classified units fighting the Global War on Terrorism, specializing in sensitive site and digital device exploitation, Computer Network Attack (CNA), and Computer Network Defense (CND).”

Cyber Ninjas’ Vol. 3 “Result Details” shows the details of CyFIR’s findings. The malfeasance and possible criminal activity found by CyFIR shows significant cybersecurity issues; file and log deletions, dual boot hard drives, internet connections, overwriting of data—and the evidence to back up their findings. According to Cotton, neither of the two Maricopa County “audits” found evidence of internet connections.

Cybersecurity issues found by CyFIR were:

  • The Maricopa County 2020 election was breached.
  • No security patches done in two years since the purchase of the system.
  • No anti-virus updates in two years since installation.
  • Same name, same password with Admin privileges throughout the system for the entire County.
  • The oldest date on the security log was 2/5/2021, with no inclusion of the election period.
  • The County did not provide Windows Security Logs.
  • Dual, bootable hard drives were found internally in the system, both bootable to different configurations.
  • One of the hard drives included outside information from Washington State and South Carolina.

This slideshow requires JavaScript.

According to CyFIR’s report, the cyber security failures and breaches were significant and many.

CyFIR/CyberSecurity Issues

Additionally, CyFIR found “clear intentional overwriting of the security logs by the EMSADMIN Account.” CyFIR stated they have video footage of who was at the keyboard when the files were deleted.

File deletions were numerous on two drives and three of four HiPro Scanners:

  • 865 directories and 85,673 election-related files were deleted between 10/28/20 and 11/05/20 from the EMS C:\ Drive.
  • 9,571 directories and 1,064,746 election-related files were deleted between 11/01/20 and 03/16/21 on the EMS D:\ Drive.
  • HiPro 1 Scanner, 304 directories and 59,387 files containing election data were deleted on 03/03/21.
  • HiPro 3 Scanner, 1,016 directories and 196,463 files containing election data deleted on 03/03/21.
  • HiPro 4 Scanner, 981 directories and 191,295 files containing election data deleted on 03/03/21.

59 EMS listening ports were open on the server and SQL logs indicate that general election results were purged from EMS on February 1st, 2021. Cotton stated they were purged, “right before the two audits performed by the County were due to commence.”

Ben Cotton explained:

“If you look at that last bullet—first-in, first-out (FIFO) approach—all of a sudden it becomes readily apparent as to what happened on these distinct dates.

So on each of these dates, an individual executed a script, and that script repeatedly looked for a blank password for all of the accounts on the system.  Depending on the system, there were only about 16 accounts that were present on a given system. So this script was run multiple times.

On 2/11, 462 log entries were overwritten by this script. on the 3rd of March, 37,686 log entries were overwritten by this same script— On the 12th, which is the day before we received the system, there were 330 log entries overwritten by that script.

Now, the challenge here is that I know that this occurred. I know which account did it. It was the EMS Admin account.

If you reflect back to what I just said about the lack of accountability of assigning that username to an individual—it now becomes extremely difficult to prove who did it. Luckily, we happen to have some historical data from MTEC video feeds—and so we leverage that data to backtrack and align these times and we have captured screenshots of Maricopa County people at the keyboards during those time periods.”

Cotton’s full presentation begins at the 30-minute mark.

Resistance and obstruction has plagued the audit from beginning to end. Subpoenas were sent to the Maricopa Board of Supervisors demanding the above equipment and an agreement to give them to the Senate was reached on Sept. 20. The Senate has yet to say when the investigation of the routers and Splunk logs will begin.

In addition to the above items that were never delivered, Cyber Ninjas also reported that Maricopa County never provided a full accounting of how many ballots it received for its audits. Undeliverable ballots and systems to access the voter rolls were also never provided by the County.

A full Senate-run canvass was obstructed by the Democrats and the federal government—even though one was specified in the original contract. Liz Harris and her volunteers performed a canvass whose results were officially announced on Sept. 8.

Cyber Ninjas Report/Vol.3

Reports are forthcoming on the paper used and the subpoenaed materials, including router and Splunk log data, admin passwords, and hardware keys. The paper used for the ballots could be a critical data point in the audit.

Jovan Hutton Pulitzer says that the public knows only about 50 percent of the truth so far. Pulitzer is currently under an NDA because he has yet to present his full findings regarding what paper was actually used and the kinematic artifacts.

The audits conducted by Maricopa County were not anywhere close in scale or granularity to forensic audits led by Cyber Ninjas. Intelligence Analyst, Phil Waldron told Patrick Byrne in a video conference review of the report, “Other devices were connected to the election system, which is a decertification event.”

As a result of the audit, AG Brnovich has now requested from Maricopa County the preservation of information as it relates to the 2020 election. He also requested the unredacted audit reports from the State Senate:

Brnovich Letter to MCBOS/preservation/9/27/21

Senator Kelly Townsend, in a 1487 request, asked Brnovich to investigate—raising issues that were not covered in the Senate audit report. Brnovich turned her down. She refers to state law that says the AG is obligated by law to investigate. The links for her questions can be found here.

Townsend explained on her Telegram Channel that for a special session to be called:

The AZ Constitution requires 2/3 of the Legislators to sign a petition. (Article 4, Part 2, Section 1). You can see we will need 4 Democrats in the Senate and 9 in the House. Without them, we cannot call the special session. That leaves us with section 3, where the Governor calls the session. Therefore, let’s push for the Governor to call us in to address the illegal votes in the AZ 2020 General Election and to propose legislation that will pass in time for the 2022 primary to prevent the same thing from happening again.

The Maricopa County Board of Supervisors stated via Twitter it will respond to the claims in the forensic audit.

The recommendations based on audit findings from Cyber Ninjas for legislative consideration can be found here. Senate President, Karen Fann, held a press conference after Friday’s hearing, saying she has questions—some things “aren’t making sense” and need further scrutiny.

UncoverDC has written several articles starting with one summarizing the Sept. 24 hearing and the Cyber Ninjas report. This article is the third in a series breaking down the three individual three audit reports presented on Friday. An article referencing the EchoMail/Dr. Shiva Addayurai report will be published soon.