After what has seemed like an eternity, the Special Master in the settlement agreement relating to the subpoenas issued by the Arizona State Senate to Maricopa County, has finally settled on the the computer experts who will examine the County’s routers and Splunk logs.
In response, the Arizona State Senate issued questions to Special Master John Shadegg and his team of three experts.
The Senate’s questions are posed to determine whether or not election information could have been accessed by unauthorized users.
“After more than three months, all parties have finally agreed on three IT experts to extract the information the Senate is requesting from the Splunk logs and routers,” said Senate President Karen Fann. “Having been instructed not to release the questions prior to the IT experts being hired, the Senate is now submitting the list of questions provided by the auditors. We are hoping to conclude this part of the audit expeditiously and without any further delays.”
As agreed, by the parties, the examination of the routers and Splunk logs is for the purpose of answering questions posed by the Senate related to the November 3, 2020, General Election during the time between October 7 and November 20, 2020.
The experts who will work with the Special Master to answer the questions are:
- Jane Ginn
Principal Cyber Cybersecurity Threat Analyst
Cyber Threat Intelligence Network, Inc. - Brad E. Rhodes
Independent Cybersecurity Consultant & Adjunct Professor
Gannon University - Andrew Keck
Chief Technology Officer – Owner
Profile Imaging of Columbus, LLC
One of the last questions on the list references “Elliot Kerwin or his affiliates.” Kerwin is alleged to have successfully penetrated Maricopa County’s registration server and/or network.
RELATED ARTICLE: Who Hacked Into Maricopa County’s Voter Files And What Data Did They Get?
The FBI seized several computer hard drives from Kerwin’s residence in Fountain Hills in an effort to collect evidence of a conspiracy to commit computer intrusion from October 21st through November 4th, 2021.
Questions from the Arizona State Senate to Special Master John Shadegg
1. Is there any evidence that the routers or managed switches in the election network, or election devices (e.g., tabulators, servers, signature-matching terminals, etc.), have connected to the public internet?
2. How, if at all, were the routers and managed switches in the election network secured against unauthorized or third party access? Is there any evidence of such access?
3. Do the routers or splunk logs contain any evidence of data deletion, data purging, data overwriting, or other destruction of evidence or obstruction of the audit?
4. In preparing and in support of your answer to each of the foregoing questions, please consider and explain whether each of the following supports or undermines your previous answers and, further, provide copies of each of the following:
a. output from the show clock detail command.
b. output from the show version command.
c. output from the show running-config command.
d. output from the show startup-config command.
e. output from the show reload command.
f. output from the show ip route command.
g. output from the show ip arp command.
h. output from the show users command.
i. output from the show logging command.
j. output from the show ip interface command.
k. output from the show interfaces command.
l. output from the show tcp brief all command.
m. output from the show ip sockets command.
n. output from the show ip nat translations verbosecommand.
o. output from the show ip cache flow command.
p. output from the show ip cef command.
q. output from the show snmp user command.
r. output from the show snmp group command.
s. output from the show clock detail command.
t. output from the show audit command.
u. output from the show audit filestat command.
v. output from the show access-list command
w. output from the show access-list [access-list-name] for each access list contained on each router.
x. output from the show access-list appliedcommand.
y. output from the show routing table command
z. output from the show ARP command.
aa. listing of all interfaces, the MAC address for each interface and the corresponding IP addresses for each MAC.
bb. output from the show IP Arp command for eachof the IP addresses associated with the router.
cc. results of the write core command.
dd. listing of all current and archived router configuration files (including the name, date of creation, date of modification, size of the file and hash valued of each configuration file).
ee. the routing table and all static routes.
ff. a listing of all MAC addresses for all devices (tabulators, poll books, HiPro Scanners, ICC, Adjudication Workstations, EMS Workstations, and Election Management Server, etc) utilized in the November 2020 general election.
gg. reports from the Router Audit Tool.
hh. Complete listing of the Splunk indexers including the MAC address and IP address for each indexer.
ii. collective analysis, using Red Seal, of all routers contained in the Maricopa County network and routing reports to the internet for each interface (including any routes that would allow connections from the 192.168.100.x, 192.168.10.x and 192.168.5.x subnets).
jj. netflow data for the voting network and all other networks leading to the gateway router(s) that have internet access containing the following data elements for each data transmission:
• Date
• Source MAC Address
• Source IP Address
• Source Port
• Destination MAC Address
• Destination IP Address
• Destination Port
• Type of protocol
• Size of the packet.
kk. Splunk data containing the following data elements at a minimum:
• Date
• Source MAC Address
• Source IP Address
• Source Port
• Destination MAC Address
• Destination IP Address
• Destination Port
• Type of protocol
• Size of the packet.
• Any affiliated Splunk alert or notification data
ll. netflow and splunk data related to any unauthorized access by Elliot Kerwin or his affiliates of the Maricopa County registration server and/or network.
mm. all splunk data related to the following windows logs on the EMS Server:
EMS Workstations, Adjudication Workstations, ICC systems, HiPro Scanners, and the Poll Worker laptops.
For each of the foregoing questions, please limit your answers to the time period beginning on October 7, 2020 and ending on November 20, 2020.