• David Rooslet III

Deleted Files in Maricopa County Election Audit Discovered and Recovered


By Randy DeSoto May 18, 2021 at 5:22pm

A cyber expert working on the Arizona election audit team testified Tuesday that he was able to recover an allegedly deleted directory from the Maricopa County election server.

Ben Cotton — the founder of CyFir, a digital forensics and cyber risk solutions company — told Arizona Senate President Karen Fann and Senate Judiciary Chairman Warren Petersen that he discovered the missing file directory while reviewing the Master File Table.

The MFT, he explained during a special meeting of the state Senate, is a “record of all of the directories and the files that are contained in that partition and a pointing — and a pointer to where that data resides on the hard drive.”

The database directory from the D drive of the machine “EMSPrimary” [Election Management System] had been deleted, he confirmed.

“In the course of performing that MFT discovery, I discovered a MFT that clearly indicated that the database directory was deleted from that server,” Cotton said.

He then told Fann and Petersen he was able to successfully recover the files.

“All of this, however, may be a moot point because subsequently, I’ve been able to recover all of those deleted files. And I have access to that data,” Cotton said.

In a letter to the Maricopa Board of Supervisors last week, Fann raised the issue of the deleted files.

The board responded with its own letter to Fann on Monday.

The board offered up that the reason the files showed up as deleted is that “the Elections Department shut down the server to be packed up and made ready for delivery to the Senate.”

“At no point was any data deleted when shutting down the server and packing up the equipment.”

The officials reiterated, “Maricopa County provided you the actual Dominion server as commanded by your subpoena and we did not transfer or delete from that server any data from the 2020 General Election that was subject to your subpoena.”

“You have now returned that server to us. Evidently, your ‘auditors’ made a copy of that server and are conducting their analysis on the copy,” the letter continued.

Additionally, the board refused to turn over county routers that auditors have requested to ensure voting tabulators were not connected to the internet during the election.

The letter cited security concerns about sensitive information contained in the routers getting into the wrong hands.

The board members closed their letter — also signed by Republican Maricopa County Recorder Stephen Richer and Democratic Maricopa County Sheriff Paul Penzone — calling for the audit to cease.

“You, Senate President Fann, are the only one with the power to immediately end it. We implore you to recognize the obvious truth: your ‘auditors’ are in way over their heads,” they wrote.

Cotton directly addressed the board’s explanation for the apparently deleted directory being due to the system being shut down before it was delivered to the Senate.

“We follow a very strict forensics acquisition process in which we don’t turn on a system if it’s delivered to us in a powered off state” before making a copy of the drive, he said.

Cotton added, “We produced a bit for bit forensics copy of that particular drive.”

182 views0 comments