Computer Forensics Service Agreement: Fill & Download for Free

Before discussing evidence, it’s important to be clear that the assessment of the U.S. intelligence community is unanimous: Russia interfered with the election. It happened.The FBI, CIA, NSA, and ODNI all said so when they were run by Obama appointees, and they continue to say so now that they’re run by Trump appointees. DHS says so, too.Presidents, too. Obama said it. Bush said it. Trump said it. He tries to downplay it, but he said it. And his CIA Director and Secretary of State say they aren’t going to stop.And Congress, as well. Members of the House and Senate Intelligence Committees from both parties have said it.That’s two branches of government, two political parties, partisans and civil servants; Republicans, Democrats, and dedicated professionals living and breathing national security every day.Outside the U.S. government, private sector companies specializing in computer forensics have said it, even those that compete with each other and have strong incentive to prove the others wrong. More on that shortly.To be as clear as possible before moving on, the FBI, CIA, and NSA, through the Office of the Director of National Intelligence, published the following assessment:President Vladimir Putin ordered an influence campaign in 2016 aimed at the US presidential election. Russia's goals were to undermine public faith in the US democratic process, denigrate Secretary Clinton, and harm her electability and potential presidency. We further assess Putin and the Russian Government developed a clear preference for President-elect Trump. We have high confidence in these judgments.So, we’re confident the Russians attempted “an influence campaign” to interfere with the 2016 U.S. election, but what form did this take?The effort was multi-pronged:Establishing contact with the Trump campaign and those receptive to Russian overtures.Hacking into Democratic servers and leaking stolen information.Organized trolling using Russian agents and bots to maximize the propaganda value of the leaked emails, spread disinformation, disrupt political discourse, foment anger and vitriol, support Trump messaging, etc.Breaching U.S. election systems, either for 2016 or to set up actions for future elections.Item #1 relates to the ongoing collusion investigation of contacts between Russia and the Trump team. That would be a whole answer on its own, and it’s not even necessary to show evidence of the Russian interference, so I’ll just offer this quick summary:At least 12 Trump associates had contacts with Russians during the campaign or transitionThere were at least 19 face-to-face interactions with Russians or Kremlin-linked figuresThere were at least 51 communications -- meetings, phone calls, email exchanges and more.This flies in the face of at least nine blanket denials from Trump world of any contacts with RussiaIf you want to read the details behind that, go ahead: By the numbers: The Trump orbit's contacts with Russians is a good start, or for a more in depth timeline: All the known times the Trump campaign met with RussiansThe majority of this answer will focus on #s 2, 3, and 4.Now that we’ve established what we know, we can move on to how we know it. That part gets a bit more complicated.Although all those U.S. government entities say so with high confidence, they can’t exactly “show their work” to the general public without telling the Russians all the ways they used to catch them. If they did, they would not only be telling them how to avoid detection in the future, but endangering the lives of human intelligence sources (our spies and assets) and the continued viability of any electronic or cyber intelligence sources, such as any vulnerabilities we’ve exploited in their systems.Usually, it’s not just the sources and methods that are kept secret but everything. Generally, the public doesn’t get told anything U.S. intelligence knows, except in serious situations, like when they discovered Russia’s previous management, the Soviet Union, was secretly installing nuclear missile sites 90 miles off the coast of Florida, a scary incident known as the Cuban Missile Crisis.In this case, when they decided to go public, they made two reports, but we only got to see the unclassified one, which leaves out the sensitive details about how we know what we know. Here’s how it’s explained in the report:“Assessing Russian Activities and Intentions in Recent US Elections” is a declassified version of a highly classified assessment that has been provided to the President and to recipients approved by the President.The Intelligence Community rarely can publicly reveal the full extent of its knowledge or the precise bases for its assessments, as the release of such information would reveal sensitive sources or methods and imperil the ability to collect critical foreign intelligence in the future.Thus, while the conclusions in the report are all reflected in the classified assessment, the declassified report does not and cannot include the full supporting information, including specific intelligence and sources and methods.Since they can’t tell us their evidence, any answer to this question on Quora will be missing the majority of the evidence.However, even without them spilling all their secrets, there’s quite a bit that’s publicly known. And the preceding two sentences taken together should underscore just how overwhelming the evidence must be.One last thing before diving in, a quick note of caution: Do not be confused by talk about “the dossier” or “the Nunes memo” as they have little to do with this.Ok, so here’s some of the evidence that’s publicly known:Democratic servers were hacked by Russians. Although the government isn’t willing to expose all their evidence for this, we have plenty.Let’s start with the strong forensic information from multiple private sector firms.The Democratic National Committee suspected something happened but wasn’t sure what, so they “called in CrowdStrike, a security firm that specializes in countering advanced network threats.”While the infiltration was very advanced, within just two hours CrowdStrike discovered reams of evidence that left little doubt that not only did the Russians hack them, but two different Russian agencies had.Knowing that this was a big claim, they published their evidence. Their report is pretty specific. It’s not that long but includes all sorts of technical details, including excerpts from the actual code, among other things. Feel free to read it if you want to get deeper into the weeds.It’s not just the company the Democrats hired saying so: “Two competing cybersecurity companies, Mandiant (part of FireEye) and Fidelis, confirmed CrowdStrike's initial findings that Russian intelligence indeed hacked the DNC.” Now, we’re up to three saying so.Then a fourth cyber security firm “examined the forensic data from the DNC hack themselves, and endorsed Crowdstrike’s conclusions.” This company you might’ve even heard of: Symantec.The U.S. government confirmed the findings as well. A separate report we’ll get into later reiterated many of the points raised by CrowdStrike, including when each of the Russian intelligence agencies they identified infiltrated the DNC (the hacks were done at different times).Part of the evidence is that CrowdStrike had seen these digital fingerprints before. They investigate 15,000 hacks every year, so when their software analyzes systems, it recognizes that certain sequences of actions taken form patterns that become a unique signature. Wired explains, “Every action at a system level on the DNC's computers was recorded and checked against CrowdStrike's bank of prior intelligence (the company processes 28 billion computer events a day).” There are “a handful of small but significant tells: data exfiltrated to an IP address associated with the hackers; a misspelled URL; and time zones related to Moscow.”In other words, the companies are familiar with these hackers and know what to look for. Here’s a little blurb about how familiar they are with their modus operandi:“Security companies can tell you much more about these groups, their code, their infrastructures, and their methods. (The Finnish security firm F-Secure has an excellent 34-page write-up of [one of the Russian intelligence agency hacker groups], and FireEye has a deep dive into [the other Russian hacker group], among many other reports by different companies.) (PDF) From analysis of the dozens of malware packages used exclusively by these hackers, researchers can tell you that…“They’re usually compiled on machines with the language set to Russian.”“Both groups operate during working hours in Russia, and take Russian holidays off.”“Their targets are radically different from those of for-profit criminals hackers in Eastern Europe or anywhere else—no banks, no retailers with credit card numbers to steal—always governments, companies, journalists, NGOs, and other targets that the Russian government would be interested in.”One part of the hack involved tricking DNC employees with phony links that were used in previous hacks tied to Russia.As good as the Russians were at hacking, they made mistakes, during and after the hack. For example, they inadvertently left Russian-language metadata in the leaked files.Oops.There’s even Russian language error messages accidentally embedded due to the way they exported the docs. Crowdsourcing spotted that, not just the cyber firm. A Twitter user who used to work for British intelligence did some great analysis."error! invalid hyperlinks" in Russian... pic.twitter.com/T9jmLnNiKF— davi (((🐧))) 德海 (@daviottenheimer) June 15, 2016They tried to play the hack off like it was an independent hacker, but they could’ve done a better job there.The hacker they claimed to be, who was supposedly Romanian, didn’t speak Romanian.That and a few other giveaways… (see #14)14) Tldr: this "lone hacker" uses many VMs, speaks Russian; username is founder of USSR secret police & likes laundering docs via Wikileaks.— Pwn All The Things (@pwnallthethings) June 15, 2016There was yet another hack, this one targeting the Clinton campaign directly.The hack used a similar technique as one of the DNC hacks used.Another private cyber security firm (we’re up to five now), this one called SecureWorks, discovered this was connected to other hacking attempts, some of which targeted NATO and the US military, and thousands more of which were aimed at Gmail accounts in Russia and neighboring countries of the former USSR. How they figured this out is explained in this NYT article: Was It a 400-Pound, 14-Year-Old Hacker, or Russia? Here’s Some of the Evidence, which also breaks down what is known about the identities of all those accounts targeted.“They found that of the targets outside the former Soviet Union, most were government or military personnel, aerospace professionals, political activists, authors and journalists.” In fact, breaking it down even further, “The journalists and authors in that group mostly wrote about Russia, Ukraine and global affairs, or were the spouses of military personnel.”“The government and military personnel in that group mostly served the United States, NATO and European countries.”To summarize: The U.S. government and five different cyber security firms all said it was Russia.If they’re wrong, either the Democrats or the “real” hackers pulled off the most amazing frame job in history. If it’s a conspiracy, it’s got to be the most massive, most successful conspiracy in history to include all the intelligence agencies (which frequently don’t get along) and five different private companies (which compete with each other).So far, we’ve reviewed the evidence from the security firms, but not the government. That’s about to change. Although the unclassified version of their report left out all info on sources and methods, there was a third report issued.That’s right, the FBI and DHS released a different report.One of the things that report said was that the phony login page used in the hacks was, as the New York Times explained, “hosted on a domain controlled by Russian intelligence services.” That’s what we call a smoking gun.The report talks about methods used by Russian hackers and includes some technical details about how they spot Russian cyber fingerprints and how to mitigate risks. Just read the summary at the beginning of the report and you’ll see they once again make clear how confident and clear they are that it is that Russia is behind it:Go ahead and read that report if you want to dive into the technical weeds.Of course, it’s not just the U.S. government and those five companies that purport to have evidence about Russian involvement:Report: Dutch spies caught Russian hackers on tapePutin’s Hackers Now Under Attack—From MicrosoftThere’s more, but this concludes the section about the hacks. Before I move on, I want to say that if you’re still skeptical, if you don’t think you’ve seen evidence, I encourage you to go see my source material and the sources they link to. Much like other technical areas of life, you have to either trust the consensus of experts in the field, or personally dive super deep in yourself, while also taking the time to educate yourself so you fully understand the information.With all that said, I recommend the following sources:Vice’s Excellent piece is a little old but more detailed than other treatments: “All Signs Point to Russia Being Behind the DNC Hack”CrowdStrike’s Report: “Intrusion into the Democratic National Committee”FBI/DHS Report detailing how Russia used cyber-espionageNYT explains that FBI/DHS report: “Was It a 400-Pound, 14-Year-Old Hacker, or Russia? Here’s Some of the Evidence”WaPo basically answers this Quora question: “Here’s the public evidence that supports the idea that Russia interfered in the 2016 election”ODNI’s FBI/CIA/NSA Report: Light on evidence per se, but offers very clear conclusions based on all the available evidence, even the Top Secret evidence we aren’t allowed to see.Daily Beast has good background on how recognizable these Russian hackers are because of their past hacks and modus operandi.Seriously, if you’re somehow still skeptical and really consider yourself open-minded, read the above sources.You got all that? Great, moving on…Timing: Selective leaks of the most damaging of the hacked information usually came at key times in the campaign, usually when Democrats were getting good coverage (their convention) or when Trump was getting bad coverage (e.g. the Access Hollywood tape).Distributors of hacked information: The U.S. intelligence community says it has high confidence that the leakers are acting on Russia’s behalf.Fake news purveyors (actually fake, not the ones Trump simply declares fake) based out of Russia, “troll factories,” are owned by a close Putin ally, posted misinformation about the election, as well as divisive comments, and retweets/posts linking to the fake news, which Americans would then repost themselves, comment on, argue about, and derail more serious/legit discourse.Just peruse some of these links to get a sense of how widespread it was, and obviously read any of interest:Russian troll describes work in the misinformation factoryInside the Russian 'troll factory' where recruits put out fake newsRussian troll factory paid US activists to help fund protests during electionHow Russia's troll army mobilized on election day in a final push to put Donald Trump in the White HouseRussian Twitter trolls exploited key election momentsTwitter says it exposed nearly 700,000 people to Russian propaganda during US electionHow to Tell if You've Liked or Followed a Russian "Fake News" Page on FacebookHere’s What We Know About Russia’s Use of American Social Media to Sway the ElectionRussia-backed Facebook posts 'reached 126m Americans' during US electionRussian propaganda effort helped spread ‘fake news’ during election, experts sayEven Trump Retweeted a fake Russian account: Trump Campaign Staffers Pushed Russian Propaganda Days Before the ElectionAbout Half of the news Michigan voters were exposed to on Twitter was fake, according to a study done by Oxford University. Michigan was one of the closest and most decisive states in the election.The researchers noted that the ratio of "professional to junk news" was "roughly one-to-one," and that "46.5% of all content presented as news" the election fell under "the definition of propaganda" when all the stories traceable to Russia were included.Russia bought U.S. advertising to drive opinion:Facebook says up to 10m people saw ads bought by Russian agencyThese Are the Ads Russia Bought on Facebook in 2016Russia paid Facebook in roubles for US election adsRussia created divisive events Americans showed up to:Russian trolls created Facebook events seen by more than 300,000 usersExclusive: Russia Used Facebook Events to Organize Anti-Immigrant Rallies on U.S. SoilRussia’s state owned media operate in the U.S., put out propaganda during the election, including on TV, radio, and internetThe US Intelligence report explained: “Russia’s state-run propaganda machine—comprised of its domestic media apparatus, outlets targeting global audiences such as RT and Sputnik, and a network of quasi-government trolls—contributed to the influence campaign by serving as a platform for Kremlin messaging to Russian and international audiences.”Alexa says RT’s web site gets 8% of their traffic from the U.S.. It’s currently ranked 370th in the world, but traffic is way down from where it was last year.They mainly go by RT, not Russia Today, so not everyone is aware of what they are. Even when they list it, they don’t say “We are government propaganda.” I saw their ads on NYC phone booths for a couple years before I knew who they were (not that I was watching). It would not be surprising if many Americans were watching it and not knowing it was Russian TV. It’s not like they’re speaking Russian — they had Larry King doing their election coverage.Larry King interviewing Donald Trump on a Russian government owned propaganda station broadcast in the United States.InfoWars, a favorite “news” source of Trump and Trump voters, published more than a thousand articles straight from Russian propaganda.Infowars peddled stories from a Russian propaganda outlet for yearsRussian propaganda even made it into Trump’s speechTrump Apparently Quotes Russian Propaganda To Slam Clinton On BenghaziRussia hacked state voting systems, too, but we don’t know to what extent, partially because states are unwilling to look. We’re still figuring it out.Russian Election Hacking Efforts, Wider Than Previously Known, Draw Little ScrutinyWe learned this nearly a year after the election: Russia targeted election systems in 21 states, successfully hacking someJust last week, in February 2018, we learned it was even worse: Russians successfully hacked into U.S. voter systems, official saysRussian bots still influencing us. If you still don’t believe Russian bots could influence things much, think again. Just last month, they made #releasethememo a trending topic. They’re helping to obstruct the investigation into their 2016 actions.Russia-linked Twitter accounts are working overtime to help Devin Nunes and WikiLeaksHow Twitter bots and Russian accounts made #ReleaseTheMemo go viralHow Twitter Bots and Trump Fans Made #ReleaseTheMemo Go ViralIf you still don’t think Russian propaganda sites matter, consider that when searching for the story above, the first link I found and was momentarily fooled by, was actually an RT headline saying the Department of Homeland Security refuted that story about Russia hacking voter systems, that it was a mistake. That’s what they do, they spread doubt.I looked around some more and there are right wing sites saying similar things. Which said it first? Are the Russians giving the right wing ideas or are they repeating their ideas? I don’t know. They’re certainly amplifying the same message.Now, without getting too deep into the Trump campaign’s alleged involvement in the Russian interference, it’s worth pointing out one or two factors relevant to the above:A Trump adviser repeatedly claimed to know of upcoming WikiLeaks dumps and what they were about, and then turned out to be right. His story has changed and he denies it, offers alternate explanations, but that’s a piece of evidence to consider.Prior to the hacks being leaked, Donald Trump, Jr. was contacted about meeting with Russian government representatives to receive “sensitive information” as “part of Russia and its government’s support for Mr. Trump.” They promised them “official documents and information” that would damage Hillary and help their campaign.I wonder where all those “official documents and information” came from?Trump Jr. responded enthusiastically, “…I love it especially later in the summer. Could we do a call first thing next week when I am back?”“Later in the summer” is when the leaks of the hacked emails started happeningThe meeting with the Russians took place in Trump TowerThe meeting was attended by Donald Trump’s three top people: his son, son-in-law, and campaign manager (who is now under federal indictment).We know all this because reporters discovered it, then Trump Jr. published the emails confirming it. His story changed about 7 times regarding the content of the meeting and all the people in attendance.There’s a lot more information out there on every one of these topics, but now you should have a decent sense of the evidence that Russians interfered in the U.S. election.I know this was long so I’ll just leave you with three last points relating to Russia interfering with elections — we also know:They’ve attempted to do so in other countriesFrance is latest in long list of countries that have allegedly had elections hacked by RussiaThey intend to do so again in the 2018 U.S. midterm electionsUS intel chiefs unanimous that Russia is targeting midtermsThey may have hinted at their 2016 plans before the hacksIn February 2016:A top Russian cyber official told a security conference in Moscow that Russia was working on new strategies for the “information arena” that would be equivalent to testing a nuclear bomb and would “allow us to talk to the Americans as equals.”“You think we are living in 2016. No, we are living in 1948. And do you know why? Because in 1949, the Soviet Union had its first atomic bomb test. And if until that moment, the Soviet Union was trying to reach agreement with [President Harry] Truman to ban nuclear weapons, and the Americans were not taking us seriously, in 1949 everything changed and they started talking to us on an equal footing.”Krutskikh continued, “I’m warning you: We are at the verge of having ‘something’ in the information arena, which will allow us to talk to the Americans as equals.”Source: Russia’s radical new strategy for information warfareTwo months later, the DNC was hacked.

Loss of control. The best example to illustrate the problem is incident response and forensic investigation in the Cloud. When a cloud customer puts its sensitive data into the cloud it is completely reliant on the security and incident response processes of the cloud service provider in order to respondto a data breach.Whose “Interests” Come First? When an organization handling its own data suffers a breach it is clear that the organization will be investigating and managing the incident with its own interests as a priority. It has control of its systems and the data residing therein, and can make decisions that protect its interests from a business and liability perspective. In contrast, If a cloud provider suffers a data breach exposing its customers’ data, its interests may not be (and perhaps often are not) aligned with its customers’. To the extent the service provider faces potential liability, its handling of a breach situation may favor its own interests. Cloud customers may not have the control or access to systems they would typically enjoy in order to investigate, gather evidence and remediate a data breach. Also, since many clouds service multiple customers on the same computers or networks, the providers may favor the interests of some customers over others.Forensic Investigations and eDiscovery in the Clouds.Another related challenge involves the ability of a customerto conduct a forensic investigation when its cloud provider suffers a data breach. If a breach occurs internally at a customer, it would not be unusual for that customer to retain a forensic firm (or use in house resources) to conduct a forensic investigation of the data breach. Forensic assessments typically require investigators physically to access breached computers on site, and measures taken forensically to acquire and obtain data may interrupt or impede systems. As such, in the cloud context the cloud provider may not allow its customers to access (physically or remotely) its servers or otherwise conduct a forensic examination of its systems after a data breach. Some cloud providers take the position that, since their servers are shared by multiple parties, the forensic acquisition of data from those servers would expose the confidentialinformation of the provider’s customers (possibly in violation of a non-disclosure agreement or other confidentiality legal obligations), or impact the availability of systems to other customers. The potential for multiple customers demanding the right to conduct their own forensic investigation in the wake of a breach, at the same time, is another reason cited for disallowing forensic investigations. In addition, as discussed above, a cloud provider may want to limit their customers’ ability to investigate a data breach in order to protect the provider’s own interests and limit potential liability.The Multi-Cloud Provider Problem.In the cloud context it is often the case that the cloud provider with whom an entity is contracting (the “direct provider”) is not the cloud provider thatwill actually be processing, storing and transmitting the customer’s data (the“third party provider”). If it is difficult to gain access to, conduct a forensic assessment with, and coordinate with a direct provider with a contract, it may be virtually impossible when the customer has no contract rights whatsoever.

There is no right or wrong, black or white, it’s a field of gray, depending on a number of factors.How did this arrangement come to pass, did your neighbor ask to use your WiFi or did you offer? Does your neighbor get a good strong signal, or is it degraded? Will they be using it to stream NetFlix or other video? Will they be depending on it for VoIP phone service? Is the neighbor a friend or a barely an acquaintance? Do you trade favors, do you help each other out when it’s needed?You must weigh your relationship, quality of service, etc., to decide whether or not you feel comfortable asking for compensation.But regardless of whether or not you charge them, you should have a written agreement with them, and it should explicitly prohibit illegal activity over your connection. Because if your neighbor tries to hack a bank or gov’t system, it will initially appear that you are the perpetrator. Understand you are depending on their integrity.Law enforcement will confiscate all of your computers no matter what, but if you have written proof that your neighbor is also using your connection, that’s probable cause, they will take their computers too, and figure out forensically who did it.