Mon Aug 23 21:34:37 +0000 2021

 · 10 min read
 · trapezoid of discovery

[tweet] [link]
New thread: I found a link to the data that was provided to the cyber experts at Lindell's Cyber Symposium. The data includes all of the "pcaps" supplied by Dennis Montgomery...I may look at that later, but for now I'll be focusing on the "new data" that was provided.

[tweet] [link]
The "new data" includes the PCAPs listed in this screenshot, as well as the Mesa County forensic images.

Again, these are not the PCAPs of the 2020 election that Lindell has been hyping. These were collected after the election, and only from 3 counties.

[tweet] [link]
Here's the file listing I'll be taking a look at. Specifically, I'll be focusing on the PCAPs because they're the most important. Why?

In order to collect PCAPs of counties, you'd need physical access. We know that Conan Hayes was in Mesa. But what about the other two counties?

[tweet] [link]
I'm starting with Clark County, and I'm going to try and answer 3 questions:

1) Which Clark County? NV, or WI? 2) Who collected these PCAPs? 3) What do they show? (Note - I will take care not to reveal sensitive information)

[tweet] [link]
Since these files are in actual pcapng format, I'll be using Wireshark to perform the analysis.

[tweet] [link]
The PCAP metadata indicates the data was collected on 2020-12-01 for 14min47sec between 14:52 and 15:06. They were collected by a Mac via wifi.

[tweet] [link]
The majority of the traffic is UDP. UDP is typically used for things like DNS or - for VPNs (remember this).

When you browse to a website, the connection typically uses the TCP protocol.

[tweet] [link]
So far, a few things have stood out:

1) The device performing the capture is also communicating with IP 143.144.45.69 over UDP port 8080. That IP is located in the Ukraine, and is owned by Datacamp Ltd. The AS associated with that IP is used by multiple VPN providers

[tweet] [link]
This suggests that the device performing the capture was also connected to a VPN while the capture was being performed. As a result, the traffic between that device and the VPN is encrypted, so that traffics not much use, and I'll be filtering it out.

[tweet] [link]
Another observation: the PCAPs include traffic created by Apple's Bonjour protocol (which makes sense, since the traffic was recorded by a Mac).

Within the Bonjour packets are hostnames, and one of those hostnames is 'cjh's Macbook Pro'

cjh = Conan James Hayes

[tweet] [link]
It's worth noting that you can specify capture filters. In other words, if whoever created the capture knew what they were doing and wanted to maintain sound opsec, they could have filtered out the Bonjour traffic.

But they would have had to know what they were doing.

[tweet] [link]
The PCAP also contains evidence that indicates they were in fact captured in Clark County, NV. There's a DHCP request sent from the device performing the capture. The DHCP ACK contains the domain name 'http://guest.co.clark.nv.us'

[tweet] [link]
To put a bow on the Clark County PCAP analysis:

  1. It was captured on 2020-12-01
  2. The laptop appears to belong to 'cjh'
  3. It definitely came from Clark County, NEVADA

Meaning: Conan Hayes likely had access to the Clark Co. network (via Wifi) on 2020-12-01.

[tweet] [link]
That said: there's nothing that indicates the traffic came from a network that had anything to do with election administration. Given the 'http://guest.co.clark.nv.us' domain, he could have simply joined a wifi guest network.

[tweet] [link]
On the other hand, the file is titled "Clark County Election Dept". So...I'd still suggest Clark County authorities take a look at the data.

[tweet] [link]
Looking at Lake County next. These are purportedly from Lake County, Ohio. Off the bat, these seem to have been captured from a different device entirely: A Windows laptop, instead of a Mac, and via Ethernet, rather than Wifi.

[tweet] [link]
There are four files for Lake County, and they're significantly larger than the single Clark County PCAP, so this will probably take longer to work through.

[tweet] [link]
Interesting that these were captured on 2021-05-04, which would be about 19 days prior to the first forensic image being taken of Mesa County, CO.

[tweet] [link]
Significantly more TCP traffic in the first Lake County, OH PCAP.

[tweet] [link]
Worth noting that Lake County, OH uses ES&S equipment, and not Dominion https://www.eac.gov/voting-equipment/system-certification-process

[tweet] [link]
I can also confirm the traffic does seem to be from Lake County, OH

[tweet] [link]
Confirming what @mjg59 mentioned earlier - most of this traffic is Windows update or McAffee update related. While it's definitely traffic captured from Lake County, OH, it does not appear to show any election related activity.

[tweet] [link]
Before anyone tries to sneak in a "bu-bu-updates?! I thought nothing should be connected to a network!" I want to repeat: all of the traffic captured in the Lake County, OH PCAPs appears to be from a general county network and not an election specific network.

[tweet] [link]
I think I've gleaned all the possible useful information from Lake County, so moving onto Mesa.

[tweet] [link]
Mesa County PCAPs were created on 5/23 - same date the first image was created

[tweet] [link]
Er, to clarify - same date the first forensic image was created

[tweet] [link]
The filenames suggest there's a second PCAP that's missing. The 3rd PCAP is relatively large compared to the others, clocking in at just over 6gb.

[tweet] [link]
The other two PCAPs were also created on 5/23.

[tweet] [link]
I've been able to verify that these PCAPs do seem to originate from Mesa County, however it doesn't appear that the network these were captured from is used for elections

[tweet] [link]
I've given the Mesa PCAPs a quick run through. I'm fairly confident there's not much of interest there...looks like fairly typical traffic for a small LAN with internet access (again, no traffic appeared to be election related).

[tweet] [link]
Nothing that obviously pointed the finger at Conan seemed present in the Mesa or Lake County PCAPs...other than the fact that someone from Lindell's red team (potentially Ron Watkins) indicated in an email thread that the Mesa PCAPs were captured by CJ (Conan Hayes)

[tweet] [link]
If that statement about the Mesa PCAPs is accurate, we can assume that the Lake County, OH PCAPs were captured by the same individual (or at least the same laptop).

[tweet] [link]
So, with that, I'm calling it for the night, and will try and pick this back up tomorrow. I'll probably give the Mesa PCAPs another run through, and then take a peak at the CSV files included in the 'streams' directory.

[tweet] [link]
Should also add…it’s not clear anything illegal necessarily happened.

Nothing in the PCAPs seemed particularly sensitive.

That doesn’t mean they were legitimately collected either, but it’s not possible to draw a conclusion one way or the other at the moment.