The media and the Maricopa County officials are deliberately misleading the public about deleted databases of voter results, according to auditor Ben Cotton. Both the media and County officials continue to claim the voter result databases were not deleted, and the auditors just don’t know what they are doing. They also falsely claim the expert backtracked on saying the files were deleted and he has not.
However, tech forensic expert Ben Cotton reported that the ‘D’ drive of the EMS Primary Server was deleted. His extensive experience in data forensics made it possible for him to recover the deleted files, and that’s the only reason the files were recovered. This is exactly what he said at the Arizona State Senate hearing last week.
We addressed this on the 20th but it needs to be mentioned again as the media and the hysterical county officials blast out lies.
Every day, the loons on the left are either pleading or demanding the audit stop. They are joined with the crazed rantings of hate-monger Liz Cheney.
When asked at the hearing on the 20th if he determined the ‘D’ database was deleted, he responded:
“I did…We follow a very strict forensics acquisition process in which we don’t turn on a system if it’s delivered to us in a powered-off state. We remove the hard drives. We perform forensics imaging with write locks on to prevent any changes to those hard drives. And we produce a bit for bit forensics copy of that drive. In the case of the EMS servers, there were 6 drives. 2 of those drives were for the operating system and they were in what we call a [mirror?] configuration. So if something was changed anywhere on the operating system drive that would automatically be reflected on both drives.”
“The other four drives were data drives and it turns out they were in a raid configuration known as 1 plus zero. So you have a volume that is mirrored but also data redundancy and striped across both drives. Obviously, if I don’t turn on a system I don’t have access to the raid parameters and the county did not provide those to us.”
“So I had to do a discovery process to determine what that raid configuration was. Part of that process is a scan across those drives to detect partitions of data and to also detect a master file table which is a record of all of the directories of the files that are contained in that partition, and a pointer to where that data resides on the hard drive. In the course of performing that discovery, I found that an MFT that clearly indicated that the database directory was deleted from that server.”…
“All of this may be moot because subsequently I have been able to recover all the deleted files and I have access to that data.”
I suspect there are a lot of puckered up rear ends in AZ about now. It’s becoming clear that there was not only fraud, but an attempt to hide and cover up the fraud.
It is a mirror configuration, instead of mere.
So the drives were setup in a common way to do it. Cotton knows more about forensics than I do. But the part about the database directory being removed is simple, there is an entry for it in the MFT but the directory is not there. That is the most important directory on the unit, it had to be there to have election results. So someone deliberately removed it later, it does not go away on its own. To remove it is a cheap way to do it, since it is easily detected. The county has no case against the investigators.
Removing the data must be a crime since the data must be retained for 22 months and the equipment was already under multiple subpoenas. Of course since the county claims no access or control of the machines (also illegal, since election officials are to have sole control) then by implication the equipment provider removed the directory. That makes this a national problem, since the provider operated in multiple states. Of course, with crooks running the federal agencies and congress, there will be no national investigation.