In Helsinki on Monday, President Donald Trump stood feet away from Russian President Vladimir Putin and fielded a simple question from an AP reporter: Whose account of the 2016 election does he believe—that of Putin, who claims Russia did not interfere in the U.S. presidential election, or every major U.S. intelligence agency, which have unanimously concluded that it did?
In response, the president brought up a well-rehearsed conspiracy theory implying that after being hacked, the Democratic National Committee refused to help the FBI investigation, and that therefore all evidence implicating Russia in election meddling was shaky. “You have groups that are wondering why the FBI never took the server,” Trump said. “Why didn’t they take the server? Where is the server, I want to know, and what is the server saying?”
Trump’s view is unmoored from reality in several ways.
Three days earlier, special counsel Robert Mueller published an indictment of 12 officers from the GRU, the Russian military intelligence service, for interfering in the 2016 U.S. election, including by hacking into the DNC. The indictment is historically unprecedented in scope and detail. The FBI named-and-shamed two specific GRU units, their commanding officers and 10 subordinate officers while revealing stunning details of Russia’s hacking tradecraft. And a close read of it all shows why Trump’s “DNC didn’t give the server to the FBI” conspiracy theory makes no sense.
First off, CrowdStrike, the company the DNC brought in to initially investigate and remediate the hack, actually shared images of the DNC servers with the FBI. For the purposes of an investigation of this type, images are much more useful than handing over metal and hardware, because they are bit-by-bit copies of a crime scene taken while the crime was going on. Live hard drive and memory snapshots of blinking, powered-on machines in a network reveal significantly more forensic data than some powered-off server removed from a network. It’s the difference between watching a house over time, carefully noting down who comes and goes and when and how, versus handing over a key to a lonely boarded-up building. By physically handing over a server to the FBI as Trump suggested, the DNC would in fact have destroyed evidence. (Besides, there wasn’t just one server, but 140.)
An advanced investigation of an advanced hacking operation requires significantly more than just access to servers. Investigators want access to the attack infrastructure—the equivalent to a chain of getaway cars of a team of burglars. And the latest indictments are rich with details that likely come from intercepting command-and-control boxes (in effect, bugging those getaway cars) and have nothing to do with physical access to the DNC’s servers. [Continue reading…]