Audit official says he ‘recovered’ files, undercutting claim county officials deleted them

By: - May 18, 2021 4:49 pm

An observer watches as contractors working for Cyber Ninjas, who was hired by the Arizona State Senate, examine and recount ballots from the 2020 general election at Veterans Memorial Coliseum on May 8, 2021. Photo by Courtney Pedroza | The Washington Post/pool

A contractor said he was able to recover data that the Senate’s election audit team previously accused Maricopa County of deleting, undermining a serious allegation the audit publicly lodged against county election officials.

During a hearing in the Senate on Tuesday afternoon, Ben Cotton, founder of the digital forensics company CyFIR, a subcontractor on Senate President Karen Fann’s audit team, said he recovered the files after properly configuring the hard drive where the data was stored.

“I’ve been able to recover all of those deleted files, and I have access to that data,” Cotton said.

Cotton’s explanation indicates that county officials were correct when they said no files had been deleted

The audit’s official Twitter account explicitly claimed the county “deleted a directory full of election databases from the 2020 election cycle” shortly before turning over its ballot tabulation machines to the audit. To back up its claim, it posted a screenshot purporting to show a list of deleted files, all of which were shown as being modified on April 12, about a week and a half before the county delivered the machines to Veterans Memorial Coliseum, where the audit is being conducted.

In a response letter to Fann on Monday, the county Board of Supervisors said the elections department shut down the servers on that date, and that the “modified” date only indicates changes the software made to the files’ metadata, which it said was a routine occurrence. Cotton said the audit team didn’t turn on the machines after receiving them.

Rather than examine the machines themselves, the audit team made digital copies of the equipment. The third-party software CyFIR used to analyze those digital copies gave the appearance that files were missing or deleted because the files were not in their original place, the county speculated. 

Nonetheless, Cotton repeatedly used the word “deleted,” as did Senate Judiciary Committee Chairman Warren Petersen, who questioned audit team members with Fann at the hearing. After the hearing, Fann stood by Cotton’s assertion that the files had been deleted but he was able to recover them, though she said she wouldn’t refer the issue to the Attorney General’s Office or other law enforcement because “we never said there was any wrongdoing.”

It would be illegal for county officials to intentionally delete files related to the election.

County officials seized on Cotton’s statement as evidence that the claim was false. Maricopa County tweeted that the accusation was a lie, and noted that the audit team “recovered” the allegedly deleted files shortly after the county provided a technical explanation to Fann regarding the files.

“Sooo… they’ve now ‘recovered’ the allegedly deleted files?  Wonder if our technical document explaining this helped,” the county wrote on its official Twitter account.

County Recorder Stephen Richer also described Cotton’s statement as an acknowledgement that the audit team erred in alleging that the county deleted files.

“In sum, the Senate’s audit Twitter account jumped to a conclusion, without researching it, that accused my team of violating the law… But now they admit that… Woops!,” Richer tweeted. “No worries. Just resulted in scores of emails and calls accusing me of unlawful conduct.”

Former President Donald Trump himself issued a statement alleging that the county illegally deleted an “entire database.” 

Baseless conspiracy theories and false claims that the 2020 presidential election was rigged against Trump led Fann to subpoena election materials and call for an audit in December, and the former president’s supporters quickly seized on the audit’s claims about the deleted files. 

Tuesday’s hearing, which Fann called to address several allegations and issues the audit team raised — she asked the supervisors to attend so they could answer questions in person, but they refused — put other issues to rest as well.

Fann had questioned why broken seals for secure bags used to transport ballots were found in the bottom of the boxes of ballots that the county provided to the audit team. The county explained that the bags are only used to transfer ballots to the central tabulation center, but that the cut seals from the bags were included in the boxes the ballots were transferred to.

Doug Logan, CEO of the Florida-based cybersecurity firm Cyber Ninjas, who is leading the audit team, told Fann that the county’s explanation resolved their questions.

Arizona Senate hires a ‘Stop the Steal’ advocate to lead 2020 election audit

The audit team also accused the county of failing to properly document chain of custody for the nearly 2.1 million ballots it turned over to the audit team. The county said that claim was perplexing, considering the extensive documentation signed by Ken Bennett, Fann’s audit liaison, when the ballots were delivered to the coliseum.

Bennett clarified at the hearing that his questions were about the custody of the ballots between Election Day on Nov. 3 and late April, when the county turned over the ballots. Fann and Petersen didn’t request that information in their subpoenas, and the county wrote on Twitter that the only time the ballots have left the vault at the elections department is when officials loaded a batch of them onto a truck for delivery to the Senate, ultimately returning them to the vault because Fann hadn’t yet found a place to store them.

Members of Fann’s audit team again questioned why the county hasn’t turned over other materials that Fann and Petersen requested.

The county hasn’t turned over passwords that provide administrative access to its ballot tabulation machines, which it said is because county officials don’t actually have those passwords and don’t need them to conduct elections. County officials said on Monday that Dominion Voting Systems, the vendor that owns the machines, would only give those passwords to accredited companies, as it did when the county hired two companies to audit the machines earlier this year.

Cotton said because the county doesn’t have those passwords — those are held by two full-time Dominion contractors at the elections department — county officials can’t verify their auditors’ findings that the machines weren’t connected to the internet or, for example, that they didn’t have Verizon wireless cards installed.

But the auditors the county hired, SLI Compliance and Pro V&V, found that the machines had never been connected to the internet. Dominion shared the passwords with those companies, which are both accredited by the U.S. Election Assistance Commission.

Potential internet connections, a core component of many election fraud conspiracy theories, were also a concern in the Senate’s ongoing dispute with the county over routers that county officials refuse to turn over. The county has refused to turn over the routers, or even provide access or digital copies, saying that it would cost millions of dollars, disrupt the operations of other county departments that use them and compromise law enforcement information and other sensitive data.

Cotton said the data that the county has expressed concerns with shouldn’t exist on the routers, and that he is confident he could examine the routers without creating any security breaches. He said he needs to examine the routers to determine whether ballot tabulation machines were connected to the rest of the county’s infrastructure, and therefore connected to the internet.

Logan also disputed the county’s explanation for why documentation listed different numbers of ballots than were actually contained in some of the batches turned over by election officials. 

Batches are supposed to have 200 ballots apiece, but the county explained in its letter to Fann that some batches have more or less due to the duplication process, in which ballots that are damaged or are otherwise unreadable by tabulation machines must be copied onto new ballots. Logan said on Tuesday that the explanation didn’t square with some of the documentation the auditors received, holding up a yellow sheet of paper that he said was from one of the batches the county used as an example and had only 198 ballots, but didn’t mention any duplicates.

“We took into account duplicates in the number that we gave and it still wasn’t explained. So, I’m still uncertain as to why these boxes are off and these sheets do not match the reality of what we’re running into,” Logan said.

The county responded on Twitter with a frequent assertion from the supervisors’ meeting and press conference on Monday: that Cyber Ninjas and the other contractors are making mistakes because they’re unqualified and lack experience in elections.

“You’re not an election expert so you don’t know what this yellow paper means,” the county tweeted, directing Logan to the letter the supervisors sent Fann on Monday.

The audit is on hiatus this week due to a series of high school graduations scheduled at Veterans Memorial Coliseum, and will resume on Monday. Logan said the recount, which was originally expected to conclude on May 14, is on pace to end before June 30.

Jerod MacDonald-Evoy contributed to this report.

Our stories may be republished online or in print under Creative Commons license CC BY-NC-ND 4.0. We ask that you edit only for style or to shorten, provide proper attribution and link to our web site. Please see our republishing guidelines for use of photos and graphics.

Jeremy Duda
Jeremy Duda

Associate Editor Jeremy Duda is a Phoenix native and began his career in journalism in 2003 after graduating from the University of Arizona. Prior to joining the Arizona Mirror, he worked at the Arizona Capitol Times, where he spent eight years covering the Governor's Office and two years as editor of the Yellow Sheet Report. Before that, he wrote for the Hobbs News-Sun of Hobbs, NM, and the Daily Herald of Provo, Utah. Jeremy is also the author of the history book “If This Be Treason: the American Rogues and Rebels Who Walked the Line Between Dissent and Betrayal.”

MORE FROM AUTHOR