CrowdStrike, Comey & Conflicting Claims?

By Adam Carter --- July 16th, 2017

CrowdStrike Gave Forensic Images To The FBI

On July 5th, 2017, an article was posted in the Washington Times titled "Hacked computer server that handled DNC email remains out of reach of Russia investigators" and, for me, it was a refreshing change.

The article covered the questions & doubts raised about the reputation of a firm called CrowdStrike, a cyber-security firm that investigated the DNC's network and computers last year initially following the discovery of malware and later claiming (On June 14th) that the hackers were back (or still) on their system.

Increasingly, people have been asking why CrowdStrike didn't produce any hard evidence (logs, disk images, etc) related to the DNC hack and it is something that I recently made a statement about too, outright stating that CrowdStrike did not give disk images to the FBI in relation to emails being hacked.

You can imagine my joy when confronted with the news that CrowdStrike had actually given disk images to the FBI. - Had I screwed up? Was it retraction time? Was Thomas Rid's assumption accurate?

On the surface it would seem so, however, beneath the surface, things are a little more complicated and Comey's testimony explains why...

 

Comey's Testimony

So, CrowdStrike gave the FBI the images, yet James Comey is implying that they had to rely on CrowdStrike's findings.

While it's true that the disk images are not the same as a hard disk, Comey suggesting sole reliance on CrowdStrike's reporting when they had some evidence to inspect would have been somewhat misleading and possibly contempt of court.

So what's going on here?

 

Who's Telling The Truth?

While their statements seem to conflict with one another, it's always important to think about time (and to be observant of how CrowdStrike phrase things in relation to time).

If you re-read their statement again, you may notice that they said they had provided the forensic images to the FBI in May.

If they were referring to early May (before the emails actually left the DNC) then this would make CrowdStrike's claim accurate (though a bit misleading if they're trying to defend their lack of evidence for a time when the emails were apparently accessed) and it would make Comey's claim valid too (as the forensic images the FBI would have had - wouldn't allow them to investigate what happened at a date after the images were taken).

So, the most likely explanation, besides people being liars, is that the FBI do not have disk images from any point during or following the alleged email hack.

CrowdStrike's defense in the Washington Times doesn't detract, in the slightest, from the significance of CrowdStrike's failure to produce evidence of a hack. - With Falcon installed between April and May (early May), they should have had evidence on when files/emails/etc were copied or sent. - That information has never been disclosed.