[Note: The annexes are not attached to this post.]
Introduction
I wrote a piece on Murphy’s Law shadowing every step of the automated election, with particular emphasis on the voter’s interface with the technology. I will revisit these issues, plus the PCOS and queuing, ex-future manual counts as well as provide some assessments coming from other citizen groups on the other aspects of this brand of technology chosen by the COMELEC.
Forensics on the Antipolo PCOS
Report of the Joint Forensic Team
This report is prepared pursuant to the forensic analysis conducted on
the Precinct Count Optical Scanner (PCOS) machines currently in the
possession of the Senate of the Philippines. The forensic analysis was
conducted from June 4‐5, 2010 at the A. Padilla Hall of the Senate of the
Philippines and on June 7, 2010 at the Smartmatic warehouse in Cabuyao,
Laguna.
Background.
On June 01, 2010, the Joint Canvassing Committee (JCC) requested the
forensic analysis of the sixty (60) PCOS machines, which are in the custody of
the Senate of the Philippines. The said forensic analysis would consist of
fourteen (14) items, the list of which was promptly forwarded to the
Commission on Elections (COMELEC) on an even date.
On June 02, 2010, the COMELEC consented to the requested forensic
analysis through a letter[1] addressed to the Senate’s Secretary, Ms. Emma Lirio
Reyes. During the joint canvassing session of the same date, Sen. Juan Miguel
Zubiri announced the creation of a joint forensic team consisting of
representatives from the Senate and the House of Representatives.
Those named to the joint forensic team were:
1. Director Mario Sulit, Senate of the Philippines
2. Ms. Angelina Garcia, House of Representatives
3. Atty. Al. S. Vitangcol III, House of Representatives
4. Mr. Dexter Laggui, House of Representatives
The following day, June 03, 2010, the joint forensic team met with
Smartmatic’s representative, Mr. Heider Garcia, at the office of the House
Speaker. Mr. Garcia agreed to the items as presented by the team. The
forensic team was further expanded to include other members coming from
the IT Department of the House[2].
The supposed subject of the forensic analysis are some sixty (60) units
of PCOS machines, which were turned over to the office of the Senate
President on May 19, 2010 12:00AM, duly received by the Senate Sergeant‐at‐
Arms, MGen. Jose V. Balajadia, Jr. AFP(Ret), from COMELEC Election Officer IV,
Atty. Arnulfo Pioquinto. Also submitted was a detailed inventory of the
machines, consisting of eighteen (18) pages[3].
However, due to the time constraints involved and other disturbances[4],
including the insistence of Smartmatic for all those present to sign a Non‐
Disclosure Agreement (NDA) and the objections of some guests from the
viewing public, the forensic examination was conducted on only thirty three
(33) units of PCOS machines and thirty one (31) pieces of Compact Flash (CF)
memory cards.
Objectives of the Forensic Analysis.
The objectives of the forensic analysis are to determine the following:
1. Whether or not the subject PCOS machines are authentic,
meaning one and the same as the ones used by Smartmatic in
the May 10, 2010 automated elections.
2. Whether or not the subject machines contain hidden and/or
secret components that may be used for committing electoral
fraud.
3. Whether or not the CF cards are genuine, authentic, and have
been used in the May 10, 2010 automated elections.
4. Whether or not the CF cards contain hidden and/or deleted
files.
5. Analyze and interpret the contents of the CF cards.
The source code of the embedded program in the firmware of the PCOS
machines was not retrieved because of technical limitations and unavailability
of tools necessary to extract the same.
The SIM cards of the modems were never subjected to forensic analysis
due to time limitations.
Conduct of the Forensic Analysis.
The legal authority to open and analyze the PCOS machines was
established by the order of the JCC, and the acceptance of COMELEC. Thus,
the members of the forensic team were fully authorized to conduct the said
analysis and considered free from any liability, of whatsoever nature, from
Smartmatic, the COMELEC, or any third party.
Prior to subjecting the machines to forensic analysis, the chain of
custody was properly documented using the appropriate Chain of
Custody/Evidence Form.[5]
Evidence intake was conducted, in full public view, by performing the
following on each and every unit of PCOS machine:
1. The box of the PCOS machine was described prior to opening.
2. The box was opened using a board cutter.
3. The contents of the box were announced and described as they
were being taken out of the carton container.
4. The PCOS machine was appropriately tagged, labeled and
photographed.
5. The PCOS machine was inspected for signs of tampering and
damage.
6. The PCOS machine was examined for the presence of CF cards.
a. If a CF card was present, the CF card was duplicated
using a bit stream copy and its image stored in a
forensically prepared storage.
b. The image of the CF card was analyzed for hidden and
deleted files in a forensically sound manner.
c. The files of the CF card were subjected to timeline
analysis to establish when the files were created,
modified, and/or last accessed.
d. The original CF card was reinserted in the PCOS
machine and sealed in its compartment.
7. The date and time of the PCOS machine’s internal clock was
established by running a utility program provided by
Smartmatic.
8. All the items in the box, after proper documentation, were
returned into the box and properly sealed with a masking tape.
9. The sealed box was returned to the custody of the Senate.
Two (2) PCOS machines were opened and cut apart, with the help of a
Smartmatic technician, away from public view. The forensic team noted and
identified the chipset[6] and other electronic components of the dissected PCOS
machine. The machines were then reassembled by the Smartmatic technician
and returned to their corresponding boxes.
The first recovered log file[7] from a main CF card was then viewed and
interpreted, with the help of Smartmatic representatives. Other human
readable files were then reduced to a Portable Data Format (PDF) and
preserved for future use.
On June 7, 2010, the forensic team went to Smartmatic’s warehouse in
Cabuyao, Laguna to decrypt and interpret the encrypted files found in the CF
cards. The subjects of the Cabuyao exercise are the one (1) and only main CF
card and two (2) randomly selected backup CF cards.
Images of the ballots cast, as stored in the main CF card, were
decrypted and viewed by the forensic team. However, not all of the ballot
images were shown because of the restrictions imposed by COMELEC.
Description of Technical Procedures.
The forensic analysis conducted on the CF cards are more particularly
described in the next paragraphs.
Evidence assessment. This step includes prioritizing the potential
evidence where necessary based on the location where the evidence is found
and the stability of the media to be examined. This further includes how to
document the evidence, protection and preservation of the evidence.
Thus, forensic analysis of the main CF card was prioritized over the
backup CF cards. The CF cards were properly documented using the forensic
team’s Chain of Custody Form. These cards were subjected to imaging and
the original cards preserved.
Imaging. Imaging is the process of duplicating and acquiring the files
from a subject storage device to a forensically clean storage device. This also
involves creating a known value for the subject evidence by performing an
independent check like MD5 hashing. Examination is then conducted on the
acquired digital image and not on the original evidence.
Images of the CF cards were stored on two (2) forensically cleaned and
encrypted hard disks, running on a Linux‐based Uvuntu operating system. The
images are named corresponding to the physical serial numbers of the CF
cards.
Data hiding analysis. This step can be useful in detecting and
recovering concealed and deleted data.
The subject CF cards’ images were subjected to this particular analysis.
Timeframe analysis. This type of analysis can be useful in determining
when events occurred on a computer system, which can be used as a part of
associating usage of the computer system to an individual/s at the time the
events occurred. The methods for conducting timeframe analysis consist of
reviewing the time and date stamps contained in the file system metadata
(e.g. last modified, last accessed, created, change of status) to link files of
interest to the timeframe relevant to the investigation. This methodology also
includes reviewing the system, application, or audit logs that may be present.
In the present investigation, all the recovered files in the CF cards’
images were subjected to timeframe analysis. A sample timeframe analysis is
included with this report[8].
The results of the timeframe analysis can then be compared with the
available system and audit logs of the same CF card under analysis.
Summary of Findings.
The findings of the joint forensic team are presented herein in a most
factual manner, without making any undue interpretation thereon.
The statistics and percentages cited are based on the examined size of
thirty three (33) units and not on the full sixty (60) units of PCOS machines.
On Tampered PCOS Machines
Ocular inspection revealed that there is one (1) unit that was
physically tampered with. The card slots were misaligned
preventing the insertion of CF cards.
3.03%
Presence of Main CF Cards
One (1) main CF card was found, which should have been submitted
with other election paraphernalia to the COMELEC.
3.03%
Presence of Backup CF Cards
Three (3) of the PCOS machines do not have the required backup CF
cards with them. Each and every PCOS machine, at the end of
election day, should have one backup CF card with it.
9.09%
Sealed Card Slots
Nineteen (19) of the units have memory card slots that were not
sealed at all. The card slots, as required, should be sealed with
plastic COMELEC cable ties.
57.58%
Presence of i‐button keys
Ten (10) units do not have the required i‐button keys. In fact, there
were two (2) instances where the i‐button key was colored black.
The i‐buttons for BEIs are supposedly colored blue. Black i‐button
keys are used by Smartmatic technicians only. For that matter, the
black i‐button key can be used to open any PCOS machine by any
person possessing it.
30.30%
Thermal Paper with COMELEC Logo
Thirty (30) units of PCOS machines used thermal papers without the
required COMELEC logo. Only three (3) units used thermal papers
with the COMELEC logo on them.
90.91%
Transmission Device
Twenty (20) of the units do not have their own modems for
transmission. This means that these units used another unit’s
modem for transmission.
60.61%
CF Cards Forensic Analysis
The sole blue main CF card was completely imaged and analyzed. Forensic
analysis revealed that the card is authentic and contains three (3) folders with
fifteen (15) items, to wit:
Folder dcf
DCF_BALLOT.DVD
DCF_INTEGERS.DVD
DCF_OPTIONS.DVD
DCF_STRINGS.DVD
Folder election
dvscomm.cfg
VIF.DVD
VIF_BALLOT_INSTANCE.DVD
VIF_BALLOT_LAYOUT.DVD
VIF_CHOICE_INSTANCE.DVD
VIF_CONTEST.DVD
VIF_CONTEST_INSTANCE.DVD
VIF_ELECTION.DVD
VIF_PARTY.DVD
VIF_POLL.DVD
Folder temp
Emsession.pkf
Icpsession.pkf
1_5802236_5802236_TABULATED.DVD
busage
1_5802236_5802236_0_RAW.DVD
NR.txt
LR.txt
510Res
Restrans
Slog.txt
Stats.txt
Time frame analysis revealed an intriguing fact. The last ten (10) files were all modified on May 10, 2010 but were last accessed on two (2) othr dates – September 28, 2064 and January 28, 2065. No plausible explanation can be offered for these two (2) future dates.
The file slog.txt was printed out[9] and its entries analyzed.
The log reveled that there was a SCANNER FAILED (70001)[10] entry during diagnostics and that the said diagnostics in fact failed – COMPLETE DIAGNOSTICS FAILED entry.[11]
A number of ballot scanning failure can be noted on the log file. The log file showed that there was a total of 103 ballot rejections out of a total of 385 votes cast. This is a high rejection rate of 26.75 %. The total number of registered voters is 574.
A number of over-voting and under-voting, resulting in null votes, can also be deciphered from the subject log file. In order to fully reconcile the log file with the actual votes, the main CF card was decrypted at Smartmatic’s Cabuyao warehouse.
Reconciliation of the vontents of the CF card showed the following oveer-voting and under-voting statistics:
| Postion |
Over-voting |
Under-voting |
| President |
6 |
1 |
| Vice-President |
5 |
6 |
| Senators |
132 |
921 |
| Party List |
27 |
38 |
| Congressman |
18 |
13 |
| Governor |
6 |
53 |
| Mayor |
6 |
14 |
A total of twenty eight (28) red backup CF cards were completely imaged and readied for analysis. One (1) of these cards is totally empty or blank. The other cards are yet to be analyzed, pending the resumption of the forensic analysis – subject ot the approval of the JCC.
Recommendations and Conclusions
Forensic analysis was done on a limited number of PCOS machines and CF cards, further constrained by time and resource factors.
Thef indings of the forensic analysis are still incomplete – pending the completion of the analysis of the remaining CF cards. Thus, no solid conclusion can be made based on this incomplete foresnsic analysis.
Thus, it is recommended to the JCC to order and allow the Joint Forensic Team to continue with the analysis and examination of the remaining twenty-seven (27) units of PCOS machines, and additionally perform the following:
1. Extract the source code of the embedded program in the firmware of the PCOS machine or its hash code. This was not done because Smartmatic claimed that the machine’s console port is an outright port only and is used for error messages only. However, the forensic team felt that the PCOS machine can be queried, accessed, and manipulated through the consoloe port.
2. Conduct forensic analysis on the SIM cards of the modems to establish its usage and transmissions.
3. Perform a full comparison of the ballot images in the sole main CF card with the generated Election Return from the same CF card – without any restriction from the COMELEC. This restriction has hampered the Joint Forensic Team from fully conducting their mandated forensic analysis on the subject CF cards.
It is further recommended to the JCC to request the Senate to provide additional security measures so as not to allow the viewing public, other guests, and the media, from co-mingling with the Joint Forensic Team so as not to duly burden the latter in its work.
Prepared by Atty. Al S. Vitangcol III, CHFI, for the Joint Forensic team.
June 7, 2010.
Atty. Vitangcol also volunteered the information that each provincial COMELEC officer was allotted spare 20 CF cards. The reason for this nor, their actual use is unknown to this date.
[1] Annex “A” – Letter of Atty. Tolentino of COMELEC to Sec. Emma Lirio Reyes of the Senate
[2] List of the members of the Joint Forensic Team included here as Annex “B”
[4] Transfer of Stenographic Notes of the June 4, 2010 session is hereto enclosed as Annex “D”.
[5] Included herewith as Annex “E”
[6] Chipset part numbers and description are listed in Annex “F”
[7] The printed log file of the one and only main CF card is enclosed herewith as Annex “G”.
[10] Line 12, Page 5, slog.txt
[11] Line 13, Page 5, slog.txt
