I have read this… and the problem is chain of custody and the ability to authenticate against what is called the “original specimen.” Here is how it is supposed to be done:
If there is reason to believe a server has been hacked, the very first thing is to assume a crime has been committed. Here is why: If you assume a crime, and then handle the evidence as if you are going to be challenged by the defense bar in court, you are ready for the challenge. If you do not assume a crime has been committed, and you do not handle the evidence in that manner, if you develop information indicating a crime, you’re screwed. This is a classic example of “it’s better to have it and not need it, than to need it and not have it.”
So the first step is to remove the network cable(s) from the server (e.g. disconnect from any network). But it is important to keep the serve powered up. Then you do forensics and take images of both volatile memory and the hard drives. Once you have these images, you can power down the server. But the next step is critical: You must establish and maintain custody over the server after the images have been acquired; the images are not original — the server hard drives themselves are. The images are “fingerprinted” with an algorithm called MD5. If I am the expert witness for the defense I will recommend our team demand to take an MD5 fingerpint of the original hard drive(s) to compare against the images presented to the court as evidence. If the prosecution does not have those original drive, well, Houston, we have a problem…
So here we have Trump believing a rumor that the server is in the hands of someone in the Ukraine. Whether this is true or not is irrelevant — what matters is the server is NOT in the custody of the FBI. Since the FBI DOES NOT have custody of the “original specimen” (as defined by federal rules of evidence), there is nothing unreasonable or nefarious of Trump asking the Ukrainian president for help in getting to the bottom of the matter. It also means that the “indictment” issued by the DOJ cannot possibly sustain a challenge in a preliminary hearing. You see, when someone is charged with a crime like this, and they plead not guilty, the court begins with a preliminary hearing to see if there is sufficient evidence to proceed to trial. If there is no “original specimen” for me (imagining I am the expert consultant for the defense) to verify the prosecution’s images against, then I write an expert witness report challenging the admissibility of the prosecution’s evidence.
Without access to the original specimen, I would mop the floor with the DOJ team on that “indictment.”
If you read Wired, and you are interested in this subject, the salient question is how in the world would the FBI respond to such an incident and NOT take custody of the “original specimen.” That is simply beyond preposterous from the perspective of a cyber security professional.