Even so, what CrowdStrike gave the FBI is likely better than if it had seized and analyzed a physical box.“To keep it simple, let’s say there’s only one server. CrowdStrike goes in, makes a complete image including a memory dump of everything that was in the memory of the server at the time, including traffic and connections at the time,” Rid said. “You have that image from the machine live in the network including its memory content, versus a server that someone physically carries into the FBI headquarters. It’s unplugged, so there’s no memory content because it’s powered down. That physical piece of hardware is less valuable for an investigation than the onsite image and data extraction from a machine that is up and running. The idea a physical server would add any value doesn’t make any sense.”What Rid means is that after a hack, some of the evidence of who did it and how they did it may be fleeting. It could be in the server’s memory, the RAM, and not stored on its hard drive. (Hackers use “fileless” malware precisely for this reason.) To preserve evidence in cases like these, incident responders need to make an image—essentially a copy of the server in that exact same state at that exact same time—so they can look at it afterwards. Think about this like when investigators take pictures of the crime scene or victim.
"For decades, it has been industry-standard forensic and digital evidence handling practice to conduct analysis on forensic images instead of original evidence"
Robert Mueller’s indictment relies on information that goes far beyond any single server to tie the Russians to the hack. For example, the indictment states that Russian military agents’ search histories indicated an interest in the DNC network in the weeks leading up to one of the hacks; it also has specific information about the development of malware (called X-Agent and X-Tunnel) used to surveil DNC employees and exfiltrate data from their computers, as well as specifics about the types of spearphishing attacks Russians allegedly launched against DNC employees. The indictment also has information about an Arizona-based server that the Russians leased to filter data through.
"The evidence that we have going back to before the Mueller indictment was published was already overwhelming"