Danny 3
Danny 3
Danny 3
2 TABLE OF CONTENTS
1 Contact Details ............................................................................................................................................................... 1
3 Document Overview....................................................................................................................................................... 2
4 Tally Results .................................................................................................................................................................... 2
4.1 Presidential Race .................................................................................................................................................... 2
4.2 Senate Race ............................................................................................................................................................ 3
5 Voter History, Ballot, and Certified Results Findings ...................................................................................................... 3
5.1 Ballot Scoring Methodology ................................................................................................................................... 3
5.2 Finding Summary Table .......................................................................................................................................... 4
5.3 Critical Findings ...................................................................................................................................................... 5
5.4 High ........................................................................................................................................................................ 7
5.5 Medium Findings .................................................................................................................................................. 10
5.6 Low Findings ......................................................................................................................................................... 19
5.7 Informational Findings ......................................................................................................................................... 47
6 Voting Machine Findings .............................................................................................................................................. 61
6.1 Voting Machine Scoring........................................................................................................................................ 61
6.2 Digital Analysis Summary ..................................................................................................................................... 61
6.3 Findings Summary Table ...................................................................................................................................... 61
6.4 High Findings ........................................................................................................................................................ 62
6.5 Medium Finding ................................................................................................................................................... 72
7.6 Low Findings ............................................................................................................................................................... 91
7 About Cyber Ninjas ....................................................................................................................................................... 96
This audit is the most comprehensive election audit that has been conducted. It involved reviewing everything from the
voter history for the election, to retallying all 2.1 million ballots by hand, to performing forensic photography and review
of the ballot paper, to conducting cyber forensic imaging and analysis of the provided voting equipment. This extensive
process involved over 1,500 people who contributed a total of over 100,000 hours of time over the course of more than
five months from when setup began, to when this report is completed.
This volume of the report serves to outline details of the results from the audit; including all the data and evidence to
support the conclusions of this report.
4 TALLY RESULTS
The audit included a full hand-recount of all 2.1 million ballots from the 2020 General Election. During this process all
original ballots were counted, as well as those ballots returned from duplication. Ballots that were duplicated included
various categories of ballots that were not able to be run through the voting machines, such as damaged ballots or
Uniformed and Overseas Citizens Absentee Voting Act (UOCAVA) ballots. The tallies from the original ballots sent to
duplication, and the ballots received back from duplication were kept separate so that a comparison could occur. As can
be found in audit finding, “More Duplicates Than Originals,” there were more duplicates than there were originals. For
this reason, we utilized the counts of the originals for all official tallies.
This is the most important finding in the audit because the paper ballots are the best evidence of voter intent, and there
is no reliable evidence that the paper ballots were altered to any material degree.
Reconciliation of the voters who participated to ballots cast is first required at a every vote center for election day
voting. The County Audit Board is required to reconcile the voters who participated with the ballots cast for each
precinct prior to certifying the Official Canvass. The expected delta should be more voters who voted than votes cast
because some ballots were undervoted or overvoted. There were 277 precincts with a voter deficit, 65 precincts with an
equal number of voters who voted, and cards cast. There were 401 precincts with the expected surplus.
NOTE: We’ve been informed shortly before the release of this report that some of the discrepancies outlined could be
due to the protected voter list. This has not been able to be validated at this time, but we thought it was important to
disclose this information for accuracy.
REFERENCES
• State of Arizona – 2019 Elections Procedures Manual26
• A.R.S. § 16-621 – Proceedings at the counting center27
RECOMMENDATION
Legislation should be considered that requires regular audits of the duplicate ballot process.
26
https://azsos.gov/sites/default/files/2019 ELECTIONS PROCEDURES MANUAL APPROVED.pdf
27
https://www.azleg.gov/ars/16/00621.htm
Just as no two voters should share an AFFSEQ number, no two voters should share a voter ID number. The County
confirmed that voter IDs are generated automatically and that they are never reused. It was found that not only are two
voters sharing an AFFSEQ number, but they are also sharing a voter ID number.
registered to vote on 9/25/2018. The AFFSEQ on his registration form is . He was given
voter ID number of In row 1 below you can see that his voter ID number is now associated with ,a
female, at a different address in Phoenix. This unknown person who is using original voter ID voted
in the 2020 General Election using a mail in ballot. voted in person on election day.
Ballots
6
UOCAVA ELECTRONIC BALLOTS DOUBLE COUNTED Impacted
During our hand count, we identified multiple UOCAVA ballots that had been printed and duplicated more than once
(e.g., Double Votes). Below is one example of one double printed UOCAVA ballot that was assigned two different serial
numbers and submitted for duplication. This would result in two votes being counted for this one voter.
REFERENCES
• EAC - 2018 UOCAVA Data Set 46
RECOMMENDATION
Legislation should be considered which would require that systems utilized for UOCAVA would keep track of and help
prevent the double-printing of ballots.
46
https://www.eac.gov/research-and-data/datasets-codebooks-and-surveys
As an example, in Box EVH1/11-07/MC17349, the manifest shows that there are 14 batches of original ballots. When the
auditors opened the boxes to count the ballots, they observed 7 batches of original ballots, 8 batches of duplicate
ballots and one batch missing from the manifest. Batches of duplicate ballots in boxes of original undamaged ballots is a
difficult issue to unravel. During the hand count, we also identified several instances of damaged ballots in boxes with
original ballots. We are unable to determine if the damaged ballots had been duplicated and tabulated as duplicates.
The Election Procedures Manual makes it clear that damaged ballots sent to duplication must be separated and the
County did not consistently adhere to this rule.
The Arizona Secretary of State claims that duplicate ballots and the original damaged ballots sent to duplication are to
be segregated. In case No. CV2020-015285, Roopali Desai represented Arizona Secretary of State Katie Hobbs and said:
THE COURT: And those are segregated? I'm – those-- they don't get put in the pile where we're not going to be
able to find them anymore, right? We know where those are?
MS. DESAI: Duplicated ballots are -- those are --the original as well as the duplicated ballots are, by statute,
segregated and preserved.
REFERENCES
• Arizona Supreme Court Case – CV2020-01528549
• State of Arizona – 2019 Elections Procedures Manual50
RECOMMENDATION
All duplicated ballots should be separated and properly identified as duplicates. All original damaged ballots sent to
duplication should be separated and properly identified in compliance with the EPM.
49
https://www.supremecourt.gov/DocketPDF/20/20-809/163521/20201211121632424 12-11-
20%20Appendix%20Ward%20v%20Jackson.pdf
50
https://azsos.gov/sites/default/files/2019 ELECTIONS PROCEDURES MANUAL APPROVED.pdf
Ballots
N/A
HIGH BLEED-THROUGH RATES ON BALLOTS Impacted
A large number of the ballots from in-person voting, primarily on Election Day (ED), experienced bleed-through where
the marks from one-side of the ballot were clearly visible on the other side of the ballot. This does not happen when the
manufacturer recommended paper is utilized under normal circumstances.
The biggest concern with bleed through is if it occurs in a place that might somehow impact the reading of the ballot on
the other side of the paper. Ballots are generally designed to minimize this potential by offsetting the races on each side
of the paper so that if bleed-through does happen it is a safe distance away from the ballot ovals on the other side of the
paper. Maricopa County Ballots were designed in this manner.
The effect of this offsetting can be hampered, however, if the ballot printer is not in calibration (Please see Section
5.7.10, “Out of Calibration Ballot Printers”). When this occurs the miscalibration causes the front of the ballot to not
align where it was intended to on the back of the ballot. If this miscalibration is off enough it could allow the bleed-
through to fill out a ballot oval on the other side of the paper and cast a vote, cause an overvote, or simply confuse the
tabulator enough to send the ballot to adjudication. Out of the several thousand ballot images that were manually
reviewed we could not find any images where bleed-through was close enough to a ballot oval to cause mistabulation,
nor did we see any immediate correlation with adjudication. The Dominion tabulators appeared to focus on the actual
oval and no bleed-through example was found where a ballot printer was so miscalibrated it actually filled a portion of
the oval.
The large number of papers utilized during this election and the lack of official reporting about what paper stocks were
utilized made it difficult to identify any potential counterfeit ballots. Standardization on these details would more greatly
facilitate future audits.
REFERENCES
• Dominion Printing & Finishing Specifications55
RECOMMENDATION
Legislation should be considered that would require that paper stocks utilized on election day should conform to
manufacturer recommendations to ensure that the paper that has been tested in the device is what is actually utilized to
cast votes. Legislation should also be considered that mandates the standardization of paper utilized for the election
including requiring that the ballot stock amounts utilized be fully accounted for and tracked.
INSTANCES
Kinematic Artifact processing is currently evaluating the ballot images to do a full analysis of types of paper utilized. A
full report documenting all of the papers utilized is expected in the coming weeks.
55
https://www.sos.state.co.us/pubs/elections/VotingSystems/DVS-DemocracySuite511/documentation/SD-IC-PrintingSpecification-
5-11-CO.pdf
Ballots
N/A
OUT OF CALIBRATION BALLOT PRINTERS Impacted
A large number of ballots appear to have been printed on printers not properly calibrated. This means that the front-
page of the ballot is not consistently aligned with the back page of the ballot. The way this alignment presented
appeared to be unique for each vote center printer. This is contrary to manufacturer guidelines and recommendations
and could theoretically result in inconstant reading of votes across all the different tabulators, although we identified no
instances of this issue causing a ballot to be tabulated incorrectly in the several thousand images reviewed.
RECOMMENDATION
Legislation should be considered that would require that the election equipment be properly maintained, including, but
not limited to ensuring that ballot printers are properly calibrated.
INSTANCES
The Kinematic Artifact processing is currently processing ballot images to fully map all printer miscalibrations. A full
report is expected in the coming weeks.
Ballots
N/A
REAL-TIME PROVISIONAL BALLOTS Impacted
The Arizona Secretary of State Elections Procedures Manual identifies circumstances that require the issuance of a
Provisional Ballot. If a voter appears in the e-pollbook or signature roster as having received an early ballot by mail, but
the voter wants to vote in person on Election Day, that voter must be issued a Provisional Ballot. However, Maricopa
County reported 58,550 voters who had received mail ballots but were issued standard ballots on Election Day. The
County identifies these as “real-time Provisional Ballots.” There is no mention of real-time provisional in the AZ Elections
Procedures Manual. In fact, the EPM specifically addresses this circumstance and is clear that such voters must be issued
a Provisional ballot.
There appears to be no statutory authority for Maricopa County to deviate from the EPM and issue standard ballots to
voters who had already received a mail ballot. We identified no instances of these voters casting more than one ballot,
however.
This was reported as a note at the bottom of page 12,329 of the November General Election Canvass Final -below:
57
https://www.sos.state.co.us/pubs/elections/VotingSystems/DVS-DemocracySuite511/documentation/SD-IC-PrintingSpecification-
5-11-CO.pdf
RECOMMENDATION
Legislation should be considered that would require applications developed and utilized for voter rolls or voting to be
developed to rigorous standards that ensure the confidentiality and integrity of the systems. Specifically, its
recommended that the Open Web Application Security Project (OWASP) Application Security Verification Standard
(ASVS) Level 3 be applied to all applications associated with voter rolls or voting and that it be required that this be fully
validated no less than once every two years.
Ballots
N/A
QUESTIONABLE BALLOTS Impacted
Analysis of the paper ballots has discovered ballots which exhibit characteristics that are anomalous and do not match
known legitimate ballots. This includes color ballots that are missing Machine Identification Codes (MIC), as well as
ballots that are demonstrating consistent printing irregularities that suggest they were not printed with the standard
ballot PDF generated from the Dominion Election Management System (EMS). These irregularities may have logical
explanations, but these explanations are not immediately evident.
NOTE: The questionable ballots have been reviewed to determine if they favor one presidential candidate over another
presidential candidate. No discernable pattern could be determined. This highly suggests that these are not counterfeit
but do require some sort of explanation.
REFERENCES
• Maricopa County Election Facts and Myths62
• Runbeck Printing Website63
• HP PageWide WebPress T HD Specification64
RECOMMENDATION
Legislators should consider passing laws standardizing the papers and printing process utilized for printing ballots and
requiring documentation to be kept of all papers utilized. This will facilitate determining if a ballot is in fact genuine and
remove any areas for confusion.
60
https://www.maricopa.gov/DocumentCenter/View/70435/Final-Signed-Letter-to-Senators
61
https://www.cisa.gov/election-security
62
https://recorder.maricopa.gov/justthefacts/
63
https://runbeck.net/election-solutions/election-printing-mailing/
64
https://www.hp.com/us-en/commercial-industrial-printing/pagewide/t250-hd-web-presses.html
According to the Master File Table (MFT) of the drives, a large number of files on the Election Management System
(EMS) Server and HiPro Scanner machines were deleted including ballot images, election related databases, result files,
and log files. These files would have aided in our review and analysis of the election systems as part of the audit. The
deletion of these files significantly slowed down much of the analysis of these machines. Neither of the “auditors”
retained by Maricopa County identified this finding in their reports.
The audit has discovered 263,139 ballot images on the election system that are corrupt and unreadable TIFF format
images. It is unclear what events could have resulted in this number of images being corrupted. The corruption of the
ballot images in the election system only occurs for ballots that were scanned on or after November 1, 2020. No
corruption of ballot images occurred in the 1,347,240 ballots processed on the same nine high-speed scanners prior to
November 1, 2020. The image corruption is incongruous with the performance of those same nine high-speed scanner
systems during the entire election prior to November 1, 2020. For each of the eight high-speed scanners used for ballots
scanned starting on November 1, approximately half of the TIFF images are corrupted. The corruption prevents the audit
team from confirming the efficacy of the vote totals and the correlation to the paper ballots stored in the various
batches.
TIFF image batches were corrupted in some way and not entirely readable for the purposes of the audit. This means that
it was impossible to confirm that the electronically recorded votes corresponded to the corrupted TIFF ballot images. In
this scenario it is possible that manipulation of the electronic vote totals occurred in the instances where the TIFF
images are corrupted. These corrupt TIFF images are not in the folder structure where finally adjudicated ballots are
held. Instead, the corrupted adjudicated ballots for “Early Vote Spare 2” are located amongst what appear to be test
batch ballot images.
NOTE: Because these images are critical, a new copy of these images was requested from Maricopa County, but a
response was not given.
Figure 12 - HiPro 1 Early Vote Spare 2 Showing 97,098 Ballot Tiff Images, Showing the High Volume on these Devices.
The total number of ballot images that exist within the body of computer forensics material provided for the audit is
substantially less than the official vote totals and the total number of paper ballots audited. 21,273 ballot images are
entirely missing from the forensics images of the election equipment. This means that there are electronic votes
recorded, but no actual ballot images that correspond to the votes. This makes it impossible to fully validate the results
or confirm that the Election Management System (EMS) was not tampered with.
The results from the high-speed scanners from 11/1 to 11/13 are not found in the folder named, “20201103 General
ballots and election files and adjudicated tabulators.” We find the bulk of them in “20201103 General\Results” folder.
The first 15-20 (depending on the specific high-speed scanner) of these batches do not have ballot images. The total
number of missing ballot images is 21,273.
Figure 14 - The tabulator results are found in two different folders, "20201103 General Ballots and
election files and adjudicated tabulators" and "20201103 General.”
Add these totals together and this is the total number of TIFF images on the EMS for the election.
Then take the total number of ballots from the EMS from and subtract the total from the above commands.
RECOMMENDATION
Legislation should be considered that will make ballot images an artifact from an election that is publicly published for
increased transparency and accountability in the election process.
INSTANCES
Software and Patch Management
CISA outlines the necessity for software and patch management within election systems. Specifically, CISA states
“Failure to deploy patches in a timely manner can make an organization a target of opportunity, even for less
sophisticated actors, increasing the risk of compromise.” It is clear that there was no established program to patch the
operating system or even update the antivirus definitions. Neither the operating system nor the antivirus had been
patched or updated since August 2019 (the date of the installation of the Democracy Suite). The county released a
statement that they were prohibited from updating the operating system, that had they done so it would have
invalidated the certification issued by the Voter Assistance Commission (VAC) for the Dominion software. This
statement is contradicted by the County’s own actions following the installation of the Dominion software. Contrary to
the claims that updating items on the election systems would invalidate the certification of the election system by the
EAC, forensic analysis revealed that after the installation of the Dominion software in August 2019, 4 EXE packages
were created, 45 EXE packages were updated and/or modified, 377 Dynamic Link Libraries (DLL) were created, and
1053 Dynamic Link Libraries were modified on the EMS server. If updating the operating system with patches and
updating the antivirus definition file would have invalidated the voting certification, then the county had already
invalidated the certification prior to the general election of 2020. Neither security audit contracted by Maricopa
County noted these findings in their report.
SLI Compliance report page 11 states that the Maricopa County produced 6 EMS computers. Further analysis indicated
that there were 4 EMS workstations and 2 EMS servers. Maricopa County only produced 1 EMS server and 4 EMS
workstations despite the Arizona Senate subpoena requesting ALL EMS servers and systems utilized in the 2020 General
Election. This has impacted the ability to complete the audit of the digital network and devices. For example, if malware
was resident on the missing EMS or that machine was utilized in any manner to manipulate the results of the election;
this would not be able to be determined from our analysis.
INSTANCES
Network Related Data
The Arizona Senate Subpoena to the Maricopa County Board of Supervisors included the production of network
routers, router configuration files and managed switches used in the 2020 General Election. In subsequent
conversations with county officials and county attorneys between 4/22/21 and 4/30/21 these officials agreed to
provide virtual access to the systems and to provide archived Splunk data beginning 60 days prior to the election and
ending 90 days following the election. Maricopa County refused to provide any data citing that the production of the
router data would compromise ongoing law enforcement operations and the personally identifying information (PII) of
Maricopa County residents. Maricopa County and the Arizona State Senate recently settled their dispute regarding
outstanding subpoena items, so this portion of the audit is not yet complete.
The EMS, as produced to the auditors, only had the Poll Worker role programmed into EMS. The Poll Worker role did
not have the necessary privileges and functionality to create an administrative iButton credential. In their response to
the Arizona Senate request for the administrative ICP2 iButton credentials, the Maricopa County officials indicated that
they did not possess these credentials and only the contracted Dominion employees have access to these credentials.
Dominion has refused to comply with the production request. Given the inability to create administrative tokens with
the EMS and the statement by Maricopa County concerning the ownership of the administrative iButtons, Maricopa
County is unable to validate tabulator configurations and independently validate the voting system prior to an election.
Additionally, since Maricopa County does not control the administrative iButtons, Maricopa County is apparently
unable to independently configure, validate the voting systems prior to an election, or satisfactorily freeze the
configuration of the systems for the required time periods during an election. If only the vendor controls the
administrative iButtons, Maricopa County has no way of checking the configuration of the tabulators.
Figure 18-DNS Update Table Recovered from the Maricopa County EMS.
While the Windows security logs from the Maricopa County EMS server only are present from 2/5/21 to 4/12/21, there
are a significant number of atypical remote, anonymous logins contained in the Windows security logs. Below is an
example of the atypical anonymous logons. Note that this is a remote login (login ). Note that the Workstation
Name, Source Network Address and Source Port log elements are not populated, and that root/system level access is
granted. It is normal for logins from the local system (login type to not populate these data fields, but the
fact that it is a network remote login (login type 3), and the fields are not populated is irregular and indicates that this is
not a typical anonymous login. A search of the event logs from other Windows 2012 R2 servers did not reveal a single
logon type anonymous log entry that did not record these log data elements.
Analysis of the system labeled Adjudication 2 (CyFIR evidence designation AZAud-E-087) revealed that this system
contained two bootable hard drives. These two hard drives were subsequently labeled One of the AZAud-E-087-1 and
AZAud-E-087-2. Neither security audit contracted by the Maricopa County noted this finding in their report.
Configured to communicate with an SMTP server address of in the Dominion Voting Systems
NLog.config file. Note: the nslog.config files on this system also contained clear text passwords, one of which
was the password for the emsdbadmin account.
The discovery of a system with a dual boot configuration is a significant finding. First, it demonstrates a failure in the
hardware configuration management of the Maricopa County election systems. Second, two bootable hard drives
within the same system, under certain circumstances would create a situation where one operating system could act as
a “jump box” where one system could access the internet and the other system would be restricted to an isolated
network. This is commonly called a dual homed access and could have provided an access route into the voting system
network. Without the router data, historical Splunk data and NetFlow data, we cannot complete the full analysis of the
impact of this dual boot computer. Neither of the two audits performed by Maricopa County detected or reported this
additional, bootable hard drive on the Adjudication 2 system.
The Windows event logs that were present on the EMS Server that was produced by Maricopa County contain Windows
security event logs ( ). This file records the Windows operating security events for the EMS server including
all user accesses, whether those accesses are from the local system itself or from accessing the system remotely. This
log file was restricted by a policy set by Maricopa County to a file size of 20,480KB (20MB). The logging activity was set
to automatically overwrite the existing log entries if the security file exceeded this size. The overwrite action would
write a new log entry and delete the oldest entry in the log file. In the case of the security.evtx file on the EMS server,
the earliest retained log entry was dated 2/5/2021 10:37:49 AM (the last day of the Pro V & V audit) and the latest entry
was dated 4/12/2021 4:53:16 PM. The logs were not preserved and did not cover the dates for the general election (3
November 2020). An examination of the EMS and other systems involved in the 2020 General Election did not discover
any enabled external log aggregation functionality nor were historical logs beyond those that were contained on the
operating systems provided to the digital examination team. The security access logs were not preserved and were
overwritten.
The county did not provide a network diagram, a function diagram or any other documentation to determine if in fact a
given system was supposed to be connected to the internet. Public statements by the county made clear that no
election related system was connected to the internet. For the purposes of the internet examination, auditors used this
statement as the starting point to prove or disprove that there was internet connectivity accessible to the systems
provided by the county as a result of the subpoena. In the course of the examination definitive evidence was recovered
that the EMS, EMS Client 1, EMS Client 3, EMS Client 4, REWEB 1601, and the REGIS 1202 systems had access to the
internet after the installation of the Dominion voting software suite was installed on 8/6/2019. Given the nature of
unallocated space analysis this is by no means a complete recovery of all internet history, but is definitive for the
recovered internet artifacts on the dates and times indicated.
In addition to the HTTP(S) connections, there were 51 records recovered that contained 143 connections to an internal
device that was not produced by Maricopa County with an IP address of .
7.6.1ELECTION DATA FOUND FROM OTHER STATES Likelihood: Low Impact: Medium
The Maricopa County Adjudication 2 system had two bootable hard drives. The drive identified as
contains a directory . Inside of that directory are subdirectories that appear to contain data from other
jurisdictions and what appears to be demonstration data. Specifically, these directories are named