A local Board of Supervisors voted unanimously in to authorize the Forensic Audit of ballot tabulation equipment; the culmination of a year-long effort to ensure the accuracy of the voting hardware and software used in the local division elections.
SLI Compliance’s team performed analysis of the election equipment’s software and hardware hacking vulnerability, verified that no malicious software was installed, and tested tabulators to ensure there was no information being sent or received via internet.
The election equipment and software passed all tests performed by the SLI Compliance VSTL team.
Scope of Project:
The forensic audit was conducted on the division’s voting system and included an examination of the following items:
- Central count tabulators which are used for processing large quantities of ballots.
- Workstations and servers used to operate the election management system (EMS), which includes pre-election functions for creating the election definition for the specified election, as well as post-election activities including accumulating, tallying, and reporting election results.
- Precinct-based tabulators that were utilized in the election, at the polling centers.
- Adjudication stations, which allow ballots with exceptions or out stack conditions such as over-votes, blank ballots, write-ins, and marginal marks, to be resolved.
This effort included verification of the following items:
- Verified that the software installed on the tabulation equipment was the same as the software certified by the U.S. Election Assistance Commission and the Secretary of State.
- Verified that no malicious software was running on the components.
- Verified that the components were not connected to the internet and that they had not been connected to the internet during a specified period.
- Performed a physical audit of the components to verify there was no unexpected hardware.
Process:
SLI Compliance conducted the forensic audit in a way that maximized efficiencies in examining the election artifacts.
The process included creation of disk images that allowed the examiners to audit and analyze the systems without the risk of changing the original system environments. Once the system media was imaged the examiners were able to mount and use forensic tools to inspect the systems for indicators of internet connectivity, as well as indicators of malicious or unauthorized software present on the systems.
County and Manufacturer mandates require that devices used for elections must be isolated from all non-election-related equipment and connections. To accommodate these requirements, SLI Compliance provided technological capability to block any data alterations to election-related media or resources. They achieved this by using specialized technology designed to prevent changes to the election media throughout the forensic investigation. The Hardware and software tools employed hardware-level, read-only, write-blocking features to eliminate the risk of unintentional changes to election-related media during the audit process. Additionally, the tool came equipped with several write-protected ports, facilitating the secure connection of various types of storage media in a read-only, write-protected fashion.
The tool provided read-only, write blocking technology at a hardware layer, preventing inadvertent modification of election media during the audit. The tool also provided multiple write protected ports that allowed for a wide variety of storage media to be connected in a read only write protected manner.
Examination for Item #1, verification of hashes, included usage of:
- A hashing application for hashing extracted files utilizing a Sha256deep algorithm.
- MS Excel spreadsheet utilizing comparison formulas for comparing and determining if files matched the hash codes.
Examination for Item #2, checking for malicious software, included usage of:
- Antivirus checks for software threats including viruses and spyware.
- Malwarebytes protection against software threats like viruses, malware, and spyware
- A digital examination tool used to extract data, including hidden data, from a PC.
- Manual review utilizing a malicious software review checklist.
- For the EMS servers, due to their configuration, a different antivirus was utilized for examination.
Examination for Item #3, internet connectivity check, included usage of
- a digital examination tool was used to extract data, including hidden data, from a PC.
- Manual review utilizing an internet connectivity review checklist.
Examination for Item #4
- Four devices were opened to show the internal components resident within
- A fifth device was opened, and all components removed from the chassis for a full examination of each internal component.
Summary of Audit Results:
SLI Compliance completed the audit of the local election division’s voting system components.
SLI Compliance maintained the integrity of the audited system components by performing a an image of all systems examined by SLI Compliance, except for the two EMS servers. that were live systems. Unused media from original packaging was used to remove or extract data from the live systems. In all instances, when removing or examining system storage media, proof of write back protection was demonstrated to protect the election infrastructure’s air-gapped environment.
Physical examination of the election infrastructure indicated that the physical setup of the systems was arranged so that all network connectivity was clearly marked and delineated. This means that, at any time, observers could examine and determine that the election systems were connected only to authorized networking. Separate cable runs were positioned to clearly identify all network cabling to and from election devices, and cables were color coded for easy identification. In addition, the entire election area was fully covered by cameras that may be used for observing the election process and maintaining a historic record of events on the election processing floor.
While the systems examined showed no malicious or networking related USB devices being
connected, the systems examined didn’t provide a physical or a digital method of preventing unauthorized USB devices to the systems. In this case, policy drives control of USB connectivity.
For the four items being examined,
- Verified that the software installed on the tabulation equipment was the same as the software that was certified by the U.S. Election Assistance Commission and the Secretary of State.
- This item is applicable to the precinct scanner, EMS (election management system – workstations and servers), the central count system and Adjudicator (ballot resolver).
- SLI Compliance’s findings indicate that the installed software remained unmodified from the EAC certified release.
- Verified that no malicious software was running on the component.
- This item is applicable to the precinct scanner, EMS (election management system – workstations and servers), the central count system and Adjudicator (ballot resolver).
- SLI Compliance’s findings indicate that the installed software did not contain any malicious software components.
- Verified that the components were not connected to the internet and that they had not been connected to the internet during the specified period.
- This item is applicable to the precinct scanner, EMS (election management system – workstations and servers), the central count system and Adjudicator (ballot resolver).
- One component had a log entry of a connection attempt, with no corresponding DNS failure message. Examination of all other log files on that machine did not provide evidence of a successful internet connection. No other component examined had any anomalies.
- Performed a physical audit of the components to verify there was no unexpected hardware (precinct scanners).
- This item is applicable to the precinct scanner.
- SLI Compliance’s findings indicate that the installed hardware was only the hardware that was certified as part of the EAC certification and that none of the examined components contained any malicious or unexpected hardware components.
What we did
- Forensic Audit