Digital forensics

Election-Hacking: Time for Forensics

August 4, 2017 by Daniel Brecht

Is it possible that an electronic vote-count manipulation determined who won the 2016 United States’ elections? Depending on which political side you interview, the answer varies. President Trump said he won the Nov. 8 vote fairly and rebutted any talks of interference. At the same time, Russian officials denied accusations of any meddling in America’s election. U.S. Intelligence, however, talks about signs that a cyber campaign was orchestrated by Russian organizations (with Vladimir Putin’s blessing) in an effort first to impede Hillary Clinton’s run for the presidency, then to help Donald Trump become the 45th U.S. President or, even more probable, simply to discredit the American democratic process. Before stepping down, former President Barack Obama demanded a “full review” of the conceivable election related hacking to pay particular attention to the Democratic officials and political committees involvement as to verify whether the cause of Hillary Clinton’s loss in the Presidential Election was to be imputed to external factors rather than to the will of the people (voters) of the United States. Were there any manipulations of the vote? If so, was any trace left behind to prove it?

Forensic investigators are the go-to experts to conduct this review to confirm or disprove any hack events or actions on a wide variety of electronic voting machines. Depending on their state of residence, many Americans have been able to cast their ballots electronically in a variety of ways. Some, for example, have been able to use computers located in voting rooms with touch screens and ballots recorded directly. Direct Record Electronic (DRE) e-voting machines
are designed to cast and count votes that are tabulated and then transmitted via the Internet or kept in memory records. DRE Voting Machine failures have already been noted in preceding elections and, through the years, many critics have raised questions about the system’s integrity brought on by confidentiality issues for election data.

Following years of debate about whether or not to use Internet-facing electronic voting machines (EVMs) for conducting elections online, current efforts are underway to promote the integrity of forthcoming e-ballots to make them at least as secure and reliable as those sent by mail. However, the online voting experience still needs a trusted secure platform that can keep ballots and voter data safe; this is the highest priority.

A Forensic Investigation: Gathering Digital Evidence of the Election Hacking

With former FBI Director James Comey deposition still at the center of attention, there is a lot of interest in understanding whether or not Trump campaign officials were connected to any vote manipulation effort and if so was any digital forensic evidence found and what came of the analysis that was conducted. Then again, how could allegations of hacking be proved? Simply, with a painstaking forensic investigation that looks into the most visible subtle signs—i.e., the hard-to-ignore evidence of intrusion. Forensic analysis has played a major role to detect if rigging has or has not taken place in the U.S. presidential election. The first signs of the alleged Russian intrusions were found on the Democratic National Committee (DNC)’s servers; at least that is what CrowdStrike’s digital forensics teams revealed. After monitoring and scouring all systems, they were able to provide invaluable insight on actors that might have targeted and compromised electoral results or, at the bare minimum, accessed and collected sensitive documents. CrowdStrike is a private cyber security company that offers a range of services going from the protection of systems and incident response to risk assessment and breach mitigation. The company boasts important customers as well as a number of renowned technological partners including branches of IBM, Amazon, and Google.

When the Democratic National Committee (DNC) suspected a breach into their system, they immediately called Crowdstrike who intervened with an incident response team and quickly realized that traces were present of intrusions by two groups. CrowdStrike’s incident response team discovered that two APT hacking groups COZY BEAR and FANCY BEAR targeted the DNC servers to make attacks against government and political organizations, aside from dismantling the campaigns of presidential contenders. CrowdStrike’s analysts had already very good knowledge of both organizations as they are famous in the field for having strong connections to the Russian government and its intelligent services; these groups have been found guilty of espionage driven by political and/or economic motives and have made the news several times in the past for violating the system of multinational companies throughout the world as well as government entities. In particular, COZY BEAR was able to infiltrate the network of the White House, the US Joint Chief of Staff, and the Department of State. FANCY BEAR, instead, has been linked to attacks against military agencies and defense ministries, but they have also made the news for attacks on famous TV stations in Germany and France.

The two intruders seemed to have attacked through a number of techniques that were difficult to detect; for example, they employed ways to adjust their entry continuously means to avoid detection. The COZY BEAR attack modes normally include a spear phishing campaign that eventually leads to infecting systems with remote access tools like ATI-Agent, AdobeARM, and MiniDionis. The dropper and the payload can “recognize” the security software loaded on the systems and can disguise, hide and move out if in danger of being discovered. FANCY BEAR uses droppers and malware able to infect machines with any operating systems, but it is normally characterized by its use of fake domains that resemble those of their targets to be used for phishing credentials.

According to CrowdStrike’s analysis, the two groups had been attacking DNCs independently since Summer 2015 (CozyBear) and April 2016 (FancyBear). CozyBear “intrusion relied primarily on the SeaDaddy implant developed in Python and compiled with py2exe and another Powershell back door with persistence accomplished via Windows Management Instrumentation (WMI) system, which allowed the adversary to launch malicious code automatically after a specified period of system uptime or on a specific schedule.” FancyBear instead used a “Tunnel network tunneling tool, which facilitates connections to NAT-ed environments [and] was used to also execute remote commands. […] They also engaged in a number of anti-forensic analysis measures, such as periodic event log clearing (via wevtutil cl System and wevtutil cl Security commands) and resetting timestamps of files.”

How could forensic investigators, then, be able to discover the attacks and attribute them? Pattern recognition is the first method: they begin by looking for and hoping to find known patterns of behaviors and clues. One of the ways is to check logs for data leaving the network and tracing their path. Using a number of forensic tools, they can also look for known traces of the use of particular software that has been previously attributed to particular hackers groups. CrowdStrike analyzed systems and found PowerShell commands collected malware samples, digital signatures and IP addresses that allowed them to make an educated guess on who the possible hackers could be; in particular, for example, they found a variant of the “X-Agent” malware and tools like X-Tunnel that they had been able to link to Russian hacking activity previously.

The incident, eventually, has called for closer scrutiny in the matter by U.S. government agencies. A leaked top-secret National Security Agency document published by the online news outlet The Intercept gave insight into the mechanics of Russian hacking of the voting systems, with the aim to connect the election-season hacking campaign to the Kremlin. Also, as Tara Seals, US/North America News Reporter, Infosecurity Magazine, mentioned it was due to the FBI who agreed with the CIA’s assessment “that Russia mounted a wide-ranging covert operation to interfere with the US Presidential election.” The FBI, however, was unable to gain direct access to the DNC servers if not until after mitigation measures were in place and CrowdStrike had completed its assessment.

The DNC attack was not the only case investigated. The media also learned that a Republican National Committee database containing personal data of nearly all registered American voters was left available on a public server for 12 days; this happened on June 12 2017, according to Chris Vickery, a risk analyst at cyber security firm at UpGuard, who “characterized the discovery as ‘perhaps the largest known exposure of voter information in history.'” The episode involved a spreadsheet of nearly 200 million Americans stored on a server run by Amazon’s cloud hosting business; the document was left vulnerable and unprotected (not even locked by a password), so that anyone with Internet access could have easily downloaded the file and gained access to all the information it contained after accessing the server, reported The Washington Post. This promptly began a detailed forensic investigation that seems to have found no evidence that anyone who accessed the server went on to compromise the files. Nevertheless, for days the names, dates of birth, addresses, phone numbers, ethnicity, religion, and voter registration details of millions of voters have been exposed to whoever could have a use for the data.

Data exposure and intrusions are not the only episodes that have been analyzed in conjunction with the latest U.S. elections. Some evidence seems to suggest that at least a part of the votes tabulated by computerized voting equipment might have been targeted or compromised to undermine the Democrat nominee Hillary Clinton while helping Republican Donald Trump win the 2016 presidential elections. How was the potential breach discovered? Well, electoral forensics is a series of techniques (mostly statistical) used to look for anomalies in the calculations. It is not an exact science, as there are no sure results or hard evidence normally; there is also, often, disagreements on which tools to use in researching abnormalities. Nevertheless, when reviewing the electoral results of last U.S. presidential elections, some results did raise some eyebrows. As noted by The New York Times magazine, for example, telling there might be evidence that voting machines were tampered with in Wisconsin, Michigan, and Pennsylvania, three states that Donald Trump won. There is no computer forensic evidence, at the moment, but voting activists and some university experts noted that candidate Clinton received 7 percent fewer votes in counties where electronic-voting machines were used compared with counties that relied on optical scanners and paper ballots. Of course, the assessment did not take into consideration possible demographics differences in those specific precincts and the general trend of voting in the region, knowing the data is important in analyzing numbers for possible abnormalities.

Additional research focused on other alleged attacks across the country. According to findings, “in all, the Russian hackers hit systems in a total of 39 states,” Bloomberg’s Michael Riley and Jordan Robertson reported. In particular, in Illinois, investigators found that cyber intruders tried to alter or delete voter data. The Illinois breaches were particularly important in the investigation as they furnished a needed key to detecting further intrusions. In fact, the state allowed for full access to their systems to FBI and the Department of Homeland Security after a contractor working at a state board of elections detected a data leak in July 2016. The compromised data were information on 90,000 voting records (names, date of birth, partial social security numbers and other sensitive data) out of the 15 million stored. Analyzing logs, forensic examiners were able to develop “digital signatures” of the attack including the Internet Protocol addresses used by hackers. The investigators combed through other systems and found traces left by the same attackers in many other states.


Does Hacking Threaten Future U.S. Elections? Of course, it could. Just as hacking threatens any information system and network in the field with sensitive data and proprietary assets. There are weaknesses in automated systems, Election Management System (EMS) application software and voting machines (the associated computers, networks, and data storage devices), which can be exploited. It is unclear what was the real effect of the alleged attacks on the last U.S. election systems and whether the known (and unknown) intrusions really had a bearing on the win of President Trump, but what is sure is that just hinting at such a possibility undermines the reputation of the entire electoral system and that’s probably the main aim of the attack perpetrators. To defend the democratic processes of the U.S. and any other country around the world, it is important to devise effective solutions to mitigate the damage, address all concerns and stop further compromising of electronic voting systems. The best outcome to secure the voting process is not to abandon the trend toward computerized voting with DRE machines or e-voting systems but adding sophistication to the processes with administrative, technological and cryptographic outcomes for auditability and verifiability, including solutions like Voter Verified Paper Audit Trails (VVPAT) and/or Video Audit Trails (VVVAT) Ballot Systems to be in place for automatic identification and data capture.

At the completion of the 2016 Presidential Election, some forensic evidence was found pointing at possible Russian interference with the U.S. democratic election process. The lesson learned is that e-voting or i-voting (i.e., done electronically or via the Internet) might not be safe enough yet for generalized use. Direct-recording electronic (DRE) voting machines to cast ballots, which have been used in political elections around the world and not just the U.S., continues to raise concerns that hackers are able to forge DRE results that could easily compromise the tallying of votes. The great challenge in the future will be to find better and safer ways to ensure confidentiality, authentication, availability, and integrity of voter’s ballots without necessarily turning the clock back to the paper and pencil times. In the meantime, forensics is still the investigators’ best friend when it comes to detect and deter current digital or electronic attacks.


Alperovitch, D. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved from

Brecht, D. (2016, May 19). The Call for Online Voting: Are We Ready? Retrieved from /the-call-for-online-voting-are-we-ready/

Fung, B. & Timberg, C. (2017, June 19). A Republican National Committee database of nearly every voter was left exposed on the Internet for 12 days, researcher says. Retrieved from

Kiely, E. (2016, December 8). Trump, Russia and the U.S. Election. Retrieved from

Krebs on Security. (2017, January 8). DNI: Putin Led Cyber, Propaganda Effort to Elect Trump, Denigrate Clinton. Retrieved from (2016, December 10). Obama demands “Full Review” over Election related Hacking. Retrieved from

Liu, C. (2016, October 31). Can the Vote Really be Hacked? Retrieved from! (2016, December 26). Recounts or No, US Elections Are Still Vulnerable to Hacking. Retrieved from

Paganini, P. (2016, August 2). US Presidential Elections: Hackers – the Third Actor Between Contenders. Retrieved from /us-presidential-elections-hackers-the-third-actor-between-contenders/

Riley, M. & Robertson, J. (2017, June 14). Russian Breach of 39 States Threatens Future U.S. Elections. Retrieved from

Riley, M. & Robertson, J. (2017, June 13). Russian Cyber Hacks on U.S. Electoral System Far Wider Than Previously Known. Retrieved from

Seals, T. (2016, December 16). Election Hacking Bombshell: Putin Personally Involved, Voting Machine Overseer Hacked. Retrieved from

Sherman, G. (2016, November 22). Experts Urge Clinton Campaign to Challenge Election Results in 3 Swing States. Retrieved from

The Economist. (2007, February 22). Election forensics: How to detect voting fiddles. Retrieved from (2007, March 10). Direct Record Electronic (DRE) Voting Machine Failures Reported in the News. Electronic Voting: A Failed Experiment. Retrieved from

Posted: August 4, 2017
Daniel Brecht
View Profile

Daniel Brecht has been writing for the Web since 2007. His interests include computers, mobile devices and cyber security standards. He has enjoyed writing on a variety of topics ranging from cloud computing to application development, web development and e-commerce. Brecht has several years of experience as an Information Technician in the military and as an education counselor. He holds a graduate Certificate in Information Assurance and a Master of Science in Information Technology.