CrowdStrike, Comey & Conflicting Claims?

By Adam Carter --- July 16th, 2017

CrowdStrike Gave Forensic Images To The FBI

On July 5th, 2017, an article was posted in the Washington Times titled "Hacked computer server that handled DNC email remains out of reach of Russia investigators".

The article covered the questions & doubts raised about the reputation of a firm called CrowdStrike, a cyber-security firm that investigated the DNC's network and computers last year initially following the discovery of malware and later claiming (On June 14th) that the hackers were back (or still) on their system.

Increasingly, people have been asking why CrowdStrike didn't publish any hard evidence (logs, disk images, etc) related to the DNC hack (ie. the actual acquisition event) and it is something that I had argued won't have been given to the FBI (otherwise they could make arguments for this based on what they did receive rather than producing speculative assessments), I even expressed disbelief that they had sent such evidence to the FBI.

However, news then came reporting that CrowdStrike had given disk images to the FBI.

So, it would seem I was wrong to assume they hadn't provided disk images, however, questions do arise when we look at Comey's testimony and what the FBI had to rely on.

Comey's Testimony

So, CrowdStrike gave the FBI the images, yet James Comey is implying that they had to rely on CrowdStrike's findings.

So, why rely on findings and not draw their own conclusions on the evidence?

Disk Images Of What And From When?

CrowdStrike's statement mentions that they had provided the forensic images to the FBI but the only reference we have for any dates is in May.

We don't know when these images were taken (it could have been early May or after devices were gathered up and reportedly wiped in June 2016).

We don't even know if these are full images or partial images.

Of course, with Falcon installed in early May, they should have had evidence on when files/emails/etc were copied or sent and have a record of acquisitions on both May 23 and May 25 but it seems that some of this information might not have been disclosed.

CrowdStrike, Conflict Of Interest & A Broken Chain Of Custody

While there are gaps here due to the timing of the images being taken (and we don't even know if the disk images were taken before or after incidents starting on May 23, 2016), the biggest problem here is clearly the lack of a proper chain of custody.

The FBI or an independent forensics team should have gathered the evidence and the FBI should have been able to account for the evidence every step of the way "from the crime scene to the lab" and in this case they clearly can't.

Even if CrowdStrike is the most reputable cybersecurity firm on the planet they were still hired by the DNC, were therefore not truly impartial and the FBI was refused access to the crime scene (and a previous offer to install sensors on the network prior to the email acquisition was rebuffed), so, they had little choice but to rely on information filtered through the firm.

With access to the crime scene denied and evidence collection provided by a private firm hired by the apparent victim of the crime, the FBI can't properly account for the evidence and the chain of custody is broken regardless of anyone's reputation or virtuous intent.

[UPDATED - 11 January, 2020: Supposition and speculation removed. Added a reference to the apparent lack of accounting for activity on May 23, 2016. Added a section about the issue of a broken chain of custody).]