Computer security experts tell Media Matters that the report of a federal investigation into Sharyl Attkisson's claims of computer hacking, which found no evidence of a remote intrusion, suggests that Attkisson's computer may have been contaminated by a private technician who reviewed the computer for her.
Attkisson, a former CBS News reporter who now writes for the Heritage Foundation's Daily Signal, has claimed that her computers were hacked under an alleged federal effort to monitor her following her critical reporting of the Obama administration.
But the investigation from the Justice Department's Office of the Inspector General, based on an examination of her personal computer, found that the OIG “was not able to substantiate the allegations that Attkisson's computers were subject to remote intrusion by the FBI, other government personnel, or otherwise,” according to an abbreviated report of the review that was entered into the congressional record when Attkisson testified before Congress on January 29.
Computer security experts contacted by Media Matters reviewed the OIG report and explained that the findings revealed that at least one of the private technicians used by Attkisson likely contaminated any evidence that may have been on her computer.
In her book Stonewalled, Attkisson describes a private computer forensics analyst hired by CBS News coming to her house in February 2013 to examine her computers for potential intrusions.
The technician initially “opens up the CBS News laptop and begins deconstructing the files,” until he finds some suspicious activity having occurred in December 2012. The technician then decides to take “a quick look at [Attkisson's] personal Apple iMac desktop computer” before leaving. He goes “straight to December” on the iMac as well, finds more suspicious activity, and tells Attkisson, “Oh shit!...That's not normal. Someone did that to your computer.”
CBS News confirmed in June 2013 that Attkisson's CBS-issued laptop was breached, using what were “sophisticated” methods, but did not comment on her personal computers, nor did they identify the party or parties behind the breach. Attkisson then gave her personal Apple computer to the DOJ's inspector general for review, claiming evidence from the CBS analyst and other private security technicians who examined her computers confirmed for her that she was under surveillance by the federal government.
The OIG report “did not find evidence of remote or unauthorized access.” However, they did find evidence of someone with physical access to the computer performing an examination in February 2013 (around the same time Attkisson says a CBS technician visited her home) that “is not forensically sound nor is it in accordance with best practices.” The OIG concluded that this technician's actions “could have obscured potential evidence of unauthorized access.”
Computer security experts contacted by Media Matters reviewed the OIG report, and agreed with the government's assessment that the technician's actions ignored the basics of standard forensic examination and contaminated the computer.
“We would never sit down, turn on the computer and start doing our investigation from the computer itself, for a number of reasons,” said Peter Theobald, a computer forensics investigator with TC Forensics of Syosset. N.Y. “One is that our own activities would leave traces all over the computer. It would be like going to a crime scene in big muddy boots and walking all over the crime scene. We would copy the hard drive first and all of our work would be done from that copy.”
Steven Burgess, a computer expert with Burgess Consulting of Santa Maria, CA., agreed. “Any forensic person is going to make a forensic image of a hard drive or they're going to be changing things on the computer, the first thing you do is pull the hard drive out of the computer,” he said, later adding the examination “was done in a forensically unsound fashion.”
Leon Mare of Expert Data Forensics in Las Vegas said via email that research on the computer while it is on “caused spoliation of the evidence by not following correct forensic protocol, so even if her suspicion was founded, the evidence had been tampered with by the technician topped with the fact that she continued to use her laptop after he determined that it was being accessed remotely.”
The OIG explained that they had asked CBS to review the technician's analysis of Attkisson's personal computer, in “order to determine what actions may have been taken by the forensic examiner” in February 2013. CBS News told the OIG, however, that “CBS News did not have any forensic work performed on Attkisson's personal computer.” It remains unclear if the private CBS technician simply never informed CBS News that he had briefly examined Attkisson's personal computer in addition to her CBS laptop, or if the examination took place at all.
“I'm naturally cautious about taking the claims without a specific report to review or refute,” Theobold said. “The inspector general given the lack of technical details made the only call they could make.”
Burgess added, “Not knowing what the evidence was I have no idea as to the validity of the claim of the CBS technician.”
Mare further observed that Attkisson's actions seemed out of line with what most hacking victims do.
“From my experience, typically a person who suspects their device(s) have been compromised, will immediately stop using the device for fear that continued usage will enable the intruder to extract more information,” he stated. “It is not typical for the victim to continue enabling a hacker. From my understanding she continued to use her laptop after the fact.”
He added: “The analogy I would make here is; if your house is broken into do you continue to keep the door unlocked? Would you call a security guard to secure the property, take fingerprints and document the incident or would you call law enforcement or a private detective to secure your residence and professionally collect fingerprints and evidence?”
Attkisson is currently suing the government for alleged “unauthorized and illegal surveillance of the Plaintiff's laptop computers and telephones from 2011-2013.”