I've been rooting around some old articles. The FBI sends mixed signals ...
Comey: DNC denied FBI's requests for access to hacked servers - TheHill - January 10, 2017
Director James Comey told lawmakers on Tuesday ... "We'd always prefer to have access hands-on ourselves if that's possible," Comey said, noting that he didn't know why the DNC rebuffed the FBI's request.
The subject of "server access" invites confusion, and all the parties involved have an interest in increasing the level of confusion. At any rate, a more accurate and generic description of FBI Standard Operating Procedure (SOP) appears in this article:
FBI, Dems bicker over investigation of hacked servers | TheHill | January 5, 2017
But a former FBI official told The Hill it's not unusual for the bureau to bypass a direct examination of a hacked server."In nine out of 10 cases, we don't need access, we don't ask for access, we don't get access. That's the normal [procedure]," Leo Taddeo, a former special agent in charge of the cyber division of the FBI's New York office, told The Hill.
"It's extraordinarily rare for the FBI to get access to the victim's infrastructure because we could mess it up," he added. "We usually ask for the logs and images, and 99 out of a hundred times, that's sufficient."
Asking for direct access to a server wouldn't be necessary, Taddeo said, "unless there was a reason to think the victim was going to alter the evidence in some way."
"Images" is a jargon reference to an EXACT copy of a hard drive, or part of a hard drive, for example a "partition" on a hard drive. Think of it as an exact duplicate - not a backup of the files, but an exact bit-for-bit copy of the infected hard drive.
My questions are: Did the FBI request logs and images? Did the DNC deliver the logs and images?
All the evidence cited in the CrowdStrike report relates to material that would exist in logs and images.
Some hacking techniques leave scant or even ZERO tracks in the hard drive, and are transient in memory and network traffic. For those sorts of attack, access to the server -while it is running- is necessary to see the attack while it is underway. Also, some servers have crappy logging, so intrusions are not logged.
Maybe this is a case of Keystone Cops meet victim who has something to hide. Both sides prefer the investigation be botched, and to be able to blame it on the other.
Some hacking techniques leave scant or even ZERO tracks in the hard drive, and are transient in memory and network traffic. For those sorts of attack, access to the server -while it is running- is necessary to see the attack while it is underway. Also, some servers have crappy logging, so intrusions are not logged.
...and if it wasn’t a hack, but an insider who snagged a copy of the emails on the server from a backup, there would be nothing on the log. The dog that didn’t bark, so to speak.