HUGE – AZ AUDIT: Special Master Names Computer Experts To Examine Maricopa County Routers And Splunk Logs – Questions from the Arizona State Senate to Special Master John Shadegg Released

The final section of the Arizona Senate full forensic audit of Maricopa County’s 2020 election is finally beginning.

The Gateway Pundit recently reported that the audit of routers and Splunk logs used in the 2020 election would begin shortly.

Arizona Senate President Karen Fann told TGP that Arizona Attorney General Mark Brnovich has spoken to numerous people for his criminal investigation.

Yesterday, Arizona State Senator Wendy Rogers tweeted a major update.

Three IT experts were selected to conduct the audit.

Splunk log and router update. Glad to see it moving along. pic.twitter.com/m1ZoSvmbux

— Wendy Rogers (@WendyRogersAZ) January 28, 2022

Special Master Names Computer Experts To Examine County Routers And Splunk Logs

As agreed, by the parties, the examination of the routers and Splunk logs is for the purpose of answering questions posed by the Senate related to the November 3, 2020, General Election during the time between October 7 and November 20, 2020.

The experts who will work with the Special Master to answer the questions are:

 

Principal Cyber Cybersecurity Threat Analyst

Cyber Threat Intelligence Network, Inc.

 

Brad E. Rhodes

Independent Cybersecurity Consultant & Adjunct Professor

Gannon University

 

Andrew Keck

Chief Technology Officer – Owner

Profile Imaging of Columbus, LLC

The Arizona Senate has provided their questions to the Special Master.

1. Is there any evidence that the routers or managed switches in the election network, or election devices (e.g., tabulators, servers, signature-matching terminals, etc.), have connected to the public internet?
2. How, if at all, were the routers and managed switches in the election network secured against unauthorized or third party access? Is there any evidence of such access?
3. Do the routers or splunk logs contain any evidence of data deletion, data purging, data overwriting, or other destruction of evidence or obstruction of the audit?
4. In preparing and in support of your answer to each of the foregoing questions, please consider and explain whether each of the following supports or undermines your previous answers and, further, provide copies of each of the following:
   1. output from the show clock detail command.
   2. output from the show version command.
   3. output from the show running-config command.
   4. output from the show startup-config command.
   5. output from the show reload command.
   6. output from the show ip route command.
   7. output from the show ip arp command.
   8. output from the show users command.
   9. output from the show logging command.
   10. output from the show ip interface command.
   11. output from the show interfaces command.
   12. output from the show tcp brief all command.
   13. output from the show ip sockets command.
   14. output from the show ip nat translations verbosecommand.
   15. output from the show ip cache flow command.
   16. output from the show ip cef command.
   17. output from the show snmp user command.
   18. output from the show snmp group command.
   19. output from the show clock detail command.
   20. output from the show audit command.
   21. output from the show audit filestat command.
   22. output from the show access-list command
   23. output from the show access-list [access-list-name] for each access listcontained on each router.
   24. output from the show access-list appliedcommand.
   25. output from the show routing table command
   26. output from the show ARP command.
   27. listing of all interfaces, the MAC address for each interface and the correspondingIP addresses for each MAC.

bb. output from the show IP Arp command for eachof the IP addresses associated with

the router.
cc. results of the write core command.
dd. listing of all current and archived router configuration files (including the name,

date of creation, date of modification, size of the file andhash valued of each configuration file).

ee. the routing table and all static routes.
ff. a listing of all MAC addresses for all devices (tabulators, poll books, HiPro

Scanners, ICC, Adjudication Workstations, EMS Workstations, and Election

ManagementServer, etc) utilized in the November 2020 general election.
gg. reports from the Router Audit Tool.
hh. Complete listing of the Splunk indexers including the MAC address and IP address

for each indexer.
ii. collective analysis, using Red Seal, of all routers contained in the Maricopa County

network and routing reports to the internet for each interface (including any routes that would allow connections from the 192.168.100.x, 192.168.10.x and 192.168.5.x subnets).

jj. netflow data for the voting network and all other networks leading to the gateway router(s) that have internet access containing the following data elements for each data transmission:

• Date
• Source MAC Address
• Source IP Address
• Source Port
• Destination MAC Address
• Destination IP Address
• Destination Port
• Type of protocol
• Size of the packet.

kk. Splunk data containing the following data elements at a minimum:

• Date
• Source MAC Address
• Source IP Address
• Source Port
• Destination MAC Address
• Destination IP Address
• Destination Port
• Type of protocol
• Size of the packet.
• Any affiliated Splunk alert or notification data

ll. netflow and splunk data related to any unauthorized access by Elliot Kerwin or his affiliates of the Maricopa County registration server and/or network.

mm. all splunk data related to the following windows logs on the EMS Server: EMS Workstations, Adjudication Workstations, ICC systems, HiPro Scanners, and thePoll Worker laptops.

For each of the foregoing questions, please limit your answers to the time period beginning on October 7, 2020 and ending on November 20, 2020.

The post HUGE – AZ AUDIT: Special Master Names Computer Experts To Examine Maricopa County Routers And Splunk Logs – Questions from the Arizona State Senate to Special Master John Shadegg Released appeared first on The Gateway Pundit.