Another COMELEC-Smartmatic Brand of Automated Election System? Part 3

[Note:  The annexes are not attached to this post.]

Introduction

I wrote a piece on Murphy’s Law shadowing every step of the automated election, with particular emphasis on the voter’s interface with the technology. I will revisit these issues, plus the PCOS and queuing, ex-future manual counts as well as provide some assessments coming from other citizen groups on the other aspects of this brand of technology chosen by the COMELEC.

Forensics on the Antipolo PCOS

Report of the Joint Forensic Team

This report is prepared pursuant to the forensic analysis conducted on

the Precinct Count Optical Scanner (PCOS) machines currently in the

possession of the Senate of the Philippines. The forensic analysis was

conducted from June 4‐5, 2010 at the A. Padilla Hall of the Senate of the

Philippines and on June 7, 2010 at the Smartmatic warehouse in Cabuyao,

Laguna.

Background.

On June 01, 2010, the Joint Canvassing Committee (JCC) requested the

forensic analysis of the sixty (60) PCOS machines, which are in the custody of

the Senate of the Philippines. The said forensic analysis would consist of

fourteen (14) items, the list of which was promptly forwarded to the

Commission on Elections (COMELEC) on an even date.

On June 02, 2010, the COMELEC consented to the requested forensic

analysis through a letter[1] addressed to the Senate’s Secretary, Ms. Emma Lirio

Reyes. During the joint canvassing session of the same date, Sen. Juan Miguel

Zubiri announced the creation of a joint forensic team consisting of

representatives from the Senate and the House of Representatives.

Those named to the joint forensic team were:

1. Director Mario Sulit, Senate of the Philippines

2. Ms. Angelina Garcia, House of Representatives

3. Atty. Al. S. Vitangcol III, House of Representatives

4. Mr. Dexter Laggui, House of Representatives

The following day, June 03, 2010, the joint forensic team met with

Smartmatic’s representative, Mr. Heider Garcia, at the office of the House

Speaker. Mr. Garcia agreed to the items as presented by the team. The

forensic team was further expanded to include other members coming from

the IT Department of the House[2].

The supposed subject of the forensic analysis are some sixty (60) units

of PCOS machines, which were turned over to the office of the Senate

President on May 19, 2010 12:00AM, duly received by the Senate Sergeant‐at‐

Arms, MGen. Jose V. Balajadia, Jr. AFP(Ret), from COMELEC Election Officer IV,

Atty. Arnulfo Pioquinto. Also submitted was a detailed inventory of the

machines, consisting of eighteen (18) pages[3].

However, due to the time constraints involved and other disturbances[4],

including the insistence of Smartmatic for all those present to sign a Non‐

Disclosure Agreement (NDA) and the objections of some guests from the

viewing public, the forensic examination was conducted on only thirty three

(33) units of PCOS machines and thirty one (31) pieces of Compact Flash (CF)

memory cards.

Objectives of the Forensic Analysis.

The objectives of the forensic analysis are to determine the following:

1. Whether or not the subject PCOS machines are authentic,

meaning one and the same as the ones used by Smartmatic in

the May 10, 2010 automated elections.

2. Whether or not the subject machines contain hidden and/or

secret components that may be used for committing electoral

fraud.

3. Whether or not the CF cards are genuine, authentic, and have

been used in the May 10, 2010 automated elections.

4. Whether or not the CF cards contain hidden and/or deleted

files.

5. Analyze and interpret the contents of the CF cards.

The source code of the embedded program in the firmware of the PCOS

machines was not retrieved because of technical limitations and unavailability

of tools necessary to extract the same.

The SIM cards of the modems were never subjected to forensic analysis

due to time limitations.

Conduct of the Forensic Analysis.

The legal authority to open and analyze the PCOS machines was

established by the order of the JCC, and the acceptance of COMELEC. Thus,

the members of the forensic team were fully authorized to conduct the said

analysis and considered free from any liability, of whatsoever nature, from

Smartmatic, the COMELEC, or any third party.

Prior to subjecting the machines to forensic analysis, the chain of

custody was properly documented using the appropriate Chain of

Custody/Evidence Form.[5]

Evidence intake was conducted, in full public view, by performing the

following on each and every unit of PCOS machine:

1. The box of the PCOS machine was described prior to opening.

2. The box was opened using a board cutter.

3. The contents of the box were announced and described as they

were being taken out of the carton container.

4. The PCOS machine was appropriately tagged, labeled and

photographed.

5. The PCOS machine was inspected for signs of tampering and

damage.

6. The PCOS machine was examined for the presence of CF cards.

a. If a CF card was present, the CF card was duplicated

using a bit stream copy and its image stored in a

forensically prepared storage.

b. The image of the CF card was analyzed for hidden and

deleted files in a forensically sound manner.

c. The files of the CF card were subjected to timeline

analysis to establish when the files were created,

modified, and/or last accessed.

d. The original CF card was reinserted in the PCOS

machine and sealed in its compartment.

7. The date and time of the PCOS machine’s internal clock was

established by running a utility program provided by

Smartmatic.

8. All the items in the box, after proper documentation, were

returned into the box and properly sealed with a masking tape.

9. The sealed box was returned to the custody of the Senate.

Two (2) PCOS machines were opened and cut apart, with the help of a

Smartmatic technician, away from public view. The forensic team noted and

identified the chipset[6] and other electronic components of the dissected PCOS

machine. The machines were then reassembled by the Smartmatic technician

and returned to their corresponding boxes.

The first recovered log file[7] from a main CF card was then viewed and

interpreted, with the help of Smartmatic representatives. Other human

readable files were then reduced to a Portable Data Format (PDF) and

preserved for future use.

On June 7, 2010, the forensic team went to Smartmatic’s warehouse in

Cabuyao, Laguna to decrypt and interpret the encrypted files found in the CF

cards. The subjects of the Cabuyao exercise are the one (1) and only main CF

card and two (2) randomly selected backup CF cards.

Images of the ballots cast, as stored in the main CF card, were

decrypted and viewed by the forensic team. However, not all of the ballot

images were shown because of the restrictions imposed by COMELEC.

Description of Technical Procedures.

The forensic analysis conducted on the CF cards are more particularly

described in the next paragraphs.

Evidence assessment. This step includes prioritizing the potential

evidence where necessary based on the location where the evidence is found

and the stability of the media to be examined. This further includes how to

document the evidence, protection and preservation of the evidence.

Thus, forensic analysis of the main CF card was prioritized over the

backup CF cards. The CF cards were properly documented using the forensic

team’s Chain of Custody Form. These cards were subjected to imaging and

the original cards preserved.

Imaging. Imaging is the process of duplicating and acquiring the files

from a subject storage device to a forensically clean storage device. This also

involves creating a known value for the subject evidence by performing an

independent check like MD5 hashing. Examination is then conducted on the

acquired digital image and not on the original evidence.

Images of the CF cards were stored on two (2) forensically cleaned and

encrypted hard disks, running on a Linux‐based Uvuntu operating system. The

images are named corresponding to the physical serial numbers of the CF

cards.

Data hiding analysis. This step can be useful in detecting and

recovering concealed and deleted data.

The subject CF cards’ images were subjected to this particular analysis.

Timeframe analysis. This type of analysis can be useful in determining

when events occurred on a computer system, which can be used as a part of

associating usage of the computer system to an individual/s at the time the

events occurred. The methods for conducting timeframe analysis consist of

reviewing the time and date stamps contained in the file system metadata

(e.g. last modified, last accessed, created, change of status) to link files of

interest to the timeframe relevant to the investigation. This methodology also

includes reviewing the system, application, or audit logs that may be present.

In the present investigation, all the recovered files in the CF cards’

images were subjected to timeframe analysis. A sample timeframe analysis is

included with this report[8].

The results of the timeframe analysis can then be compared with the

available system and audit logs of the same CF card under analysis.

Summary of Findings.

The findings of the joint forensic team are presented herein in a most

factual manner, without making any undue interpretation thereon.

The statistics and percentages cited are based on the examined size of

thirty three (33) units and not on the full sixty (60) units of PCOS machines.

On Tampered PCOS Machines

Ocular inspection revealed that there is one (1) unit that was

physically tampered with. The card slots were misaligned

preventing the insertion of CF cards.

3.03%

Presence of Main CF Cards

One (1) main CF card was found, which should have been submitted

with other election paraphernalia to the COMELEC.

3.03%

Presence of Backup CF Cards

Three (3) of the PCOS machines do not have the required backup CF

cards with them. Each and every PCOS machine, at the end of

election day, should have one backup CF card with it.

9.09%

Sealed Card Slots

Nineteen (19) of the units have memory card slots that were not

sealed at all. The card slots, as required, should be sealed with

plastic COMELEC cable ties.

57.58%

Presence of ibutton keys

Ten (10) units do not have the required i‐button keys. In fact, there

were two (2) instances where the i‐button key was colored black.

The i‐buttons for BEIs are supposedly colored blue. Black i‐button

keys are used by Smartmatic technicians only. For that matter, the

black i‐button key can be used to open any PCOS machine by any

person possessing it.

30.30%

Thermal Paper with COMELEC Logo

Thirty (30) units of PCOS machines used thermal papers without the

required COMELEC logo. Only three (3) units used thermal papers

with the COMELEC logo on them.

90.91%

Transmission Device

Twenty (20) of the units do not have their own modems for

transmission. This means that these units used another unit’s

modem for transmission.

60.61%

CF Cards Forensic Analysis

The sole blue main CF card was completely imaged and analyzed. Forensic

analysis revealed that the card is authentic and contains three (3) folders with

fifteen (15) items, to wit:

Folder dcf

DCF_BALLOT.DVD

DCF_INTEGERS.DVD

DCF_OPTIONS.DVD

DCF_STRINGS.DVD

Folder election

dvscomm.cfg

VIF.DVD

VIF_BALLOT_INSTANCE.DVD

VIF_BALLOT_LAYOUT.DVD

VIF_CHOICE_INSTANCE.DVD

VIF_CONTEST.DVD

VIF_CONTEST_INSTANCE.DVD

VIF_ELECTION.DVD

VIF_PARTY.DVD

VIF_POLL.DVD

Folder temp

Emsession.pkf

Icpsession.pkf

1_5802236_5802236_TABULATED.DVD

busage

1_5802236_5802236_0_RAW.DVD

NR.txt

LR.txt

510Res

Restrans

Slog.txt

Stats.txt

Time frame analysis revealed an intriguing fact.  The last ten (10) files were all modified on May 10, 2010 but were last accessed on two (2) othr dates – September 28, 2064 and January 28, 2065.  No plausible explanation can be offered for these two (2) future dates.

The file slog.txt was printed out[9] and its entries analyzed.

The log reveled that there was a SCANNER FAILED (70001)[10] entry during diagnostics and that the said diagnostics in fact failed – COMPLETE DIAGNOSTICS FAILED entry.[11]

A number of ballot scanning failure can be noted on the log file.  The log file showed that there was a total of 103 ballot rejections out of a total of 385 votes cast.  This is a high rejection rate of 26.75 %.  The total number of registered voters is 574.

A number of over-voting and under-voting, resulting in null votes, can also be deciphered from the subject log file.  In order to fully reconcile the log file with the actual votes, the main CF card was decrypted at Smartmatic’s Cabuyao warehouse.

Reconciliation of the vontents of the CF card showed the following oveer-voting and under-voting statistics:

Postion Over-voting Under-voting
President 6 1
Vice-President 5 6
Senators 132 921
Party List 27 38
Congressman 18 13
Governor 6 53
Mayor 6 14

A total of twenty eight (28) red backup CF cards were completely imaged and readied for analysis.  One (1) of these cards is totally empty or blank.  The other cards are yet to be analyzed, pending the resumption of the forensic analysis – subject ot the approval of the JCC.

Recommendations and Conclusions

Forensic analysis was done on a limited number of PCOS machines and CF cards, further constrained by time and resource factors.

Thef indings of the forensic analysis are still incomplete – pending the completion of the analysis of the remaining CF cards.  Thus, no solid conclusion can be made based on this incomplete foresnsic analysis.

Thus, it is recommended to the JCC to order and allow the Joint Forensic Team to continue with the analysis and examination of the remaining twenty-seven (27) units of PCOS machines, and additionally perform the following:

1.      Extract the source code of the embedded program in the firmware of the PCOS machine or its hash code.  This was not done because Smartmatic claimed that the machine’s console port is an outright port only and is used for error messages only.  However, the forensic team felt that the PCOS machine can be queried, accessed, and manipulated through the consoloe port.

2.      Conduct forensic analysis on the SIM cards of the modems to establish its usage and transmissions.

3.      Perform a full comparison of the ballot images in the sole main CF card with the generated Election Return from the same CF card – without any restriction from the COMELEC.  This restriction has hampered the Joint Forensic Team from fully conducting their mandated forensic analysis on the subject CF cards.

It is further recommended to the JCC to request the Senate to provide additional security measures so as not to allow the viewing public, other guests, and the media, from co-mingling with the Joint Forensic Team so as not to duly burden the latter in its work.

Prepared by Atty. Al S. Vitangcol III, CHFI, for the Joint Forensic team.

June 7, 2010.

Atty. Vitangcol also volunteered the information that each provincial COMELEC officer was allotted spare 20 CF cards.  The reason for this nor, their actual use is unknown to this date.


[1] Annex “A” – Letter of Atty. Tolentino of COMELEC to Sec. Emma Lirio Reyes of the Senate

[2] List of the members of the Joint Forensic Team included here as Annex “B”

[3] Annex “C” hereof.

[4] Transfer of Stenographic Notes of the June 4, 2010 session is hereto enclosed as Annex “D”.

[5] Included herewith as Annex “E”

[6] Chipset part numbers and description are listed in Annex “F”

[7] The printed log file of the one and only main CF card is enclosed herewith as Annex “G”.

[8] Annex “H”

[9] See Annex ‘G’

[10] Line 12, Page 5, slog.txt

[11] Line 13, Page 5, slog.txt

Advertisements

Leave a comment

Filed under election, Philippines

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s