Sun Aug 15 07:26:25 +0000 2021

 · 3 min read
 · trapezoid of discovery

[tweet] [link]
I've been reviewing the image, and I've found quite a few indications that the build was prepared on 4/27 on a Dell R640, and then on 5/25 - the same day of the update - restored to a Dell T630. This would make sense, because per https://www.sos.state.co.us/pubs/elections/VotingSystems/files/2020/ColoradoVotingEquipmentbyCounty2020.pdf there are no R640s in CO.

[tweet] [link]
One indication I found: BIOS update logs.

On 4/27, a Dell 9FG85 BIOS update was run. The 9FG85 build is specifically for R640

On 5/25, (the update date), Dell H5DYH BIOS update was run. The H5DYH is specifically for T630.

These were both in the newer image (made 5/26)

[tweet] [link]
The only other BIOS logs present are in the 1st image.

On 2019/06/25, a BIOS update for an R630 - build T9YX9 v. 2.9.1 failed to run because it was the wrong system (per logs)

A few minutes later, build YY63D v. 2.9.1 was ran successfully. YY63D is for the T630

[tweet] [link]
Also, when viewing the registry in the second image, you'll see that the LastConfig under HardwareConfig shows it's a Dell T630 running BIOS 2.12.1.

A Dell R630 and R640 are also present under HardwareConfig, but the UUID in LastConfig matches that of the T630 Config.

[tweet] [link]
The other thing I've looked at have been the shutdown and boot times, as logged by the kernel in the second image. We know that the trusted build update was performed on 5/25, and from 2:28PM MST to 5/26 09:49AM, the server remained powered on. It booted back up at 09:51AM MST

[tweet] [link]
From 05/26 09:51AM MST there's a steady stream of log activity until it abruptly ends 05/26 5:42PM MST. Per the metadata from the second image, we know it has a date of 05/26 5:43PM MST.

[tweet] [link]
If the drive were switched to another machine, they presumably wouldn't have been able to do that in the presence of Dominion on 5/25. So the other alternative would be that Dominion swung by with a new PC...but then why install T630 drivers, when the T630 is discontinued.

[tweet] [link]
And it doesn't seem like there would have been a large enough time gap to switch the drive after the emsserver was powered off on 5/26 and when the image was created.

Still, none of what I posted above is conclusive and there are still some weird things unanswered

[tweet] [link]
I'm going to keep digging through logs and what not. Ideally I'll be able to find a hardware serial number for some type of device in the logs or registry that I can match (or not match) across the two images.