“Maricopa County (MC) continues to purposely mislead Arizonans and the American public about the nature of audit findings, and the impact they had on the 2020 General Election… The following response to their review continues to refute their baseless claims with evidence and citations.”
The Cyber Ninjas 11-page report covers:
• 23K votes from prior addresses
MC claims that military absentee voters were not factored in. When UOCAVA voters are considered, the number is marginally reduced to a still-significant 22K.
• 17K duplicate ballot envelopes
MC claims that curing explains the duplicate ballot envelope images. Upon review, curing only potentially accounts for 2,138 of the 17K duplicates.
• Purged EMS database and log files
MC claims that standard archival steps were taken on 2/2 to free drive space. In fact, (1) The files were deleted on 2/1: “If any backups or archives were conducted on 2/2, the data was already deleted;” (2) “If it was normal to purge data… it would be expected that this would be true for every other election on the EMS Server. However… the data is still present for other past elections;” (3) The drive had more than 2TB of free space available: “There was no technical reason to delete the data before the 2 audits hired by MC. In fact, it begs to question what the auditors had to audit if there were no election results when ProV&V arrived on 2/2.”
• Corrupt and missing ballot images
MC “claims that the fact that the ballot images are corrupt or missing from the (EMS) Server is inconsequential, and that ballot images should have been viewed from one of the other drives provided.” However, MC fails to explain why or how the images were corrupted, or why images are missing from that system. “The drive provided wasn’t even in the same folder structure as the NAS directory and it did not have any other resemblance to an official backup…”
• 165K missing pre-adjudicated ballot images
“Furthermore, a review of the drive provided doesn’t include all pre-adjudicated images. The post-adjudicated images on the drive show the expected 2,089,563 images, but the pre-adjudicated images only show 1,923,719 images. The difference of 165,844 appears to be the number of ballots processed by the Election Day ImageCast Precinct 2 tabulators based on the CVR, but it’s unclear why or how these images would be collected in a manner where these images were missing.”
• Internet connectivity
MC claims the systems are not connected to the internet and carefully avoids use of the past tense. “CyFIR’s analysis never stated that the systems were always connected to the internet, but simply stated that there are distinct periods of time where internet connectivity can be validated… CyFIR utilized a tool called HstEx v4 to review the hard drives of all the affected systems for artifacts of internet activity…” The HstEX v4 clearly reveals URLs were visited and the machines had “a pathway to the internet.”
• Intentional execution of scripts to ensure that log entries were not retained
MC blames factory settings for the deletion of security log files. In fact, MC had full control and authority to modify default parameters and should have set the retention period to 22 months.
Furthermore, “the response by MC does not address the fact that a user leveraging the emsadmin account deliberately and purposely executed a script that checked the accounts for duplicate passwords 38,478 times. This deliberate execution of the script occurred over three days, specifically on 2/11/21 there were 462 log entries overwritten, on 3/3/21 there were 37,686 log entries overwritten, and on 4/12/21 there were 330 log entries overwritten. Given that MC knew that the setting on the log retention was limited to 20MB, the act of executing these scripts had the effect of deliberated ensuring that the Windows security logs covering the dates of the General Election would not be available for review.”
• And more…