Arizona Election Audit Recovers Allegedly Deleted Files in Maricopa County
Cyber expert successfully restores missing files, allegedly deleted from server
The team conducting the forensic audit of the 2020 election results in Arizona has successfully recovered files that were allegedly deleted from the county's server.
A cyber expert working on the audit team in Maricopa County testified before the state Senate on Tuesday that he was able to restore an allegedly deleted directory from the server's database.
The files were recovered by Ben Cotton — the founder of CyFir, a digital forensics and cyber risk solutions company.
Cotton told Arizona Senate Judiciary Chairman Warren Petersen and Senate President Karen Fann that he discovered the missing file directory while reviewing the Master File Table (MFT).
During a special meeting of the state Senate, Cotton explained that the MFT is a “record of all of the directories and the files that are contained in that partition and a pointing — and a pointer to where that data resides on the hard drive.”
He confirmed to the Senate that the database directory from the D drive of the machine “EMSPrimary” [Election Management System] had been deleted.
“In the course of performing that MFT discovery, I discovered an MFT that clearly indicated that the database directory was deleted from that server,” Cotton said.
Breaking Update: Maricopa County deleted a directory full of election databases from the 2020 election cycle days before the election equipment was delivered to the audit. This is spoliation of evidence! pic.twitter.com/mY0fmmFXAm— Maricopa Arizona Audit (@ArizonaAudit) May 13, 2021
Cotton then told Fann and Petersen he was able to successfully recover the files.
“All of this, however, may be a moot point because subsequently, I’ve been able to recover all of those deleted files.
"And I have access to that data,” Cotton said.
In a letter to the Maricopa Board of Supervisors last week, Fann raised the issue of the deleted files.
No chain of custody for ballots, ballot batch counts don’t match with actual ballots, deleted databases, cut security seals, ongoing non-compliance with subpoenas and more…— Maricopa Arizona Audit (@ArizonaAudit) May 13, 2021
Read the letter to the Maricopa Board of Supervisors here: https://t.co/QAXtFdQ8lf
The board offered up that the reason the files showed up as deleted is that “the Elections Department shut down the server to be packed up and made ready for delivery to the Senate.”
“At no point was any data deleted when shutting down the server and packing up the equipment.”
The officials reiterated, “Maricopa County provided you the actual Dominion server as commanded by your subpoena and we did not transfer or delete from that server any data from the 2020 General Election that was subject to your subpoena.”
“You have now returned that server to us,” the letter continued.
"Evidently, your ‘auditors’ made a copy of that server and are conducting their analysis on the copy."
Additionally, the board refused to turn over county routers that auditors have requested to ensure voting tabulators were not connected to the internet during the election.
The letter cited security concerns about sensitive information contained in the routers getting into the wrong hands.
The board members closed their letter — also signed by Republican Maricopa County Recorder Stephen Richer and Democratic Maricopa County Sheriff Paul Penzone — calling for the audit to cease.
"You, Senate President Fann, are the only one with the power to immediately end it,” they wrote.
"We implore you to recognize the obvious truth: your ‘auditors’ are in way over their heads."
Cotton directly addressed the board’s explanation for the apparently deleted directory being due to the system being shut down before it was delivered to the Senate.
“We follow a very strict forensics acquisition process in which we don’t turn on a system if it’s delivered to us in a powered off state” before making a copy of the drive, he said.
Cotton added, “We produced a bit for bit forensics copy of that particular drive.”