The final section of the Arizona Senate full forensic audit of Maricopa County’s 2020 election is finally beginning.
The Gateway Pundit recently reported that the audit of routers and Splunk logs used in the 2020 election would begin shortly.
Arizona Senate President Karen Fann told TGP that Arizona Attorney General Mark Brnovich has spoken to numerous people for his criminal investigation.
Yesterday, Arizona State Senator Wendy Rogers tweeted a major update.
Three IT experts were selected to conduct the audit.
Splunk log and router update. Glad to see it moving along. pic.twitter.com/m1ZoSvmbux
— Wendy Rogers (@WendyRogersAZ) January 28, 2022
Special Master Names Computer Experts To Examine County Routers And Splunk Logs
Former U.S. Congressman John Shadegg, serving as the Special Master in the settlement agreement relating to the subpoenas issued by the Arizona State Senate to Maricopa County, Arizona, is releasing the names of the computer experts who will examine the County’s routers and Splunk logs
As agreed, by the parties, the examination of the routers and Splunk logs is for the purpose of answering questions posed by the Senate related to the November 3, 2020, General Election during the time between October 7 and November 20, 2020.
The experts who will work with the Special Master to answer the questions are:
Jane Ginn
Principal Cyber Cybersecurity Threat Analyst
Cyber Threat Intelligence Network, Inc.
Brad E. Rhodes
Independent Cybersecurity Consultant & Adjunct Professor
Gannon University
Andrew Keck
Chief Technology Officer – Owner
Profile Imaging of Columbus, LLC
The Arizona Senate has provided their questions to the Special Master.
Questions from the Arizona State Senate to Special Master John Shadegg
- Is there any evidence that the routers or managed switches in the election network, or election devices (e.g., tabulators, servers, signature-matching terminals, etc.), have connected to the public internet?
- How, if at all, were the routers and managed switches in the election network secured against unauthorized or third party access? Is there any evidence of such access?
- Do the routers or splunk logs contain any evidence of data deletion, data purging, data overwriting, or other destruction of evidence or obstruction of the audit?
- In preparing and in support of your answer to each of the foregoing questions, please consider and explain whether each of the following supports or undermines your previous answers and, further, provide copies of each of the following:
- output from the show clock detail command.
- output from the show version command.
- output from the show running-config command.
- output from the show startup-config command.
- output from the show reload command.
- output from the show ip route command.
- output from the show ip arp command.
- output from the show users command.
- output from the show logging command.
- output from the show ip interface command.
- output from the show interfaces command.
- output from the show tcp brief all command.
- output from the show ip sockets command.
- output from the show ip nat translations verbosecommand.
- output from the show ip cache flow command.
- output from the show ip cef command.
- output from the show snmp user command.
- output from the show snmp group command.
- output from the show clock detail command.
- output from the show audit command.
- output from the show audit filestat command.
- output from the show access-list command
- output from the show access-list [access-list-name] for each access listcontained on each router.
- output from the show access-list appliedcommand.
- output from the show routing table command
- output from the show ARP command.
- listing of all interfaces, the MAC address for each interface and the correspondingIP addresses for each MAC.
bb. output from the show IP Arp command for eachof the IP addresses associated with
the router.
cc. results of the write core command.
dd. listing of all current and archived router configuration files (including the name,date of creation, date of modification, size of the file andhash valued of each configuration file).
ee. the routing table and all static routes.
ff. a listing of all MAC addresses for all devices (tabulators, poll books, HiProScanners, ICC, Adjudication Workstations, EMS Workstations, and Election
ManagementServer, etc) utilized in the November 2020 general election.
gg. reports from the Router Audit Tool.
hh. Complete listing of the Splunk indexers including the MAC address and IP addressfor each indexer.
ii. collective analysis, using Red Seal, of all routers contained in the Maricopa Countynetwork and routing reports to the internet for each interface (including any routes that would allow connections from the 192.168.100.x, 192.168.10.x and 192.168.5.x subnets).
jj. netflow data for the voting network and all other networks leading to the gateway router(s) that have internet access containing the following data elements for each data transmission:
- Date
- Source MAC Address
- Source IP Address
- Source Port
- Destination MAC Address
- Destination IP Address
- Destination Port
- Type of protocol
- Size of the packet.
kk. Splunk data containing the following data elements at a minimum:
- Date
- Source MAC Address
- Source IP Address
- Source Port
- Destination MAC Address
- Destination IP Address
- Destination Port
- Type of protocol
- Size of the packet.
- Any affiliated Splunk alert or notification data
ll. netflow and splunk data related to any unauthorized access by Elliot Kerwin or his affiliates of the Maricopa County registration server and/or network.
mm. all splunk data related to the following windows logs on the EMS Server: EMS Workstations, Adjudication Workstations, ICC systems, HiPro Scanners, and thePoll Worker laptops.
For each of the foregoing questions, please limit your answers to the time period beginning on October 7, 2020 and ending on November 20, 2020.
Arizona Attorney General Mark Brnovich should have all the evidence needed to complete his criminal investigation once this audit is finished.
