Forensic Auditors: Maricopa County Election Database Wiped One Day Before Audit

Cyber security contractors said an administrator account deleted the entire Maricopa County general election results the day before the audit began. Digital forensic auditors Ben Cotton and Doug Logan presented their findings to Arizona Senate President Karen Fann in Phoenix on Friday.

In his technical analysis, CyFIR founder Ben Cotton maintained the EMS server was connected to the internet February 1 and SQL logs indicated election records were wiped that day right before two audits were due to begin on February 2.

“There’s also a correlation to the purging of the database. It’s the day before the audit,” he announced. “Almost the same time exactly. Obviously, this requires an explanation.”

Cyber Ninjas founder Doug Logan confirmed this finding of the forensic audit.

Logan went on to explained, “some individual went into an application and they chose specifically to run something that would clear all records in the system that was used to generate the official results, the day before an audit started.”

The intentional overwrite of the security logs was cleared by the EMS administration account. The account was not assigned to any one particular individual, which presented the unique challenge of pinpointing the culprit.

However, Cotton said they luckily had data they were able to backtrack and align with video feeds.

He went on to say, “we have captured screen shots of Maricopa County people at the keyboards during those time periods.”

Arizona Attorney General Mark Brnovich has said he would take all necessary actions that were supported by evidence and where he had legal authority.