Wednesday, June 30, 2010

The Final Report of the Joint Forensic Team on the PCOS machines found in Antipolo

June 9, 2010

Senate President
Senate of the Philippines

Speaker of the House
House of Representatives

Re: Final Report of the Joint Forensic Team

The Hon. Senate President and Hon. Speaker of the House:

On June 7, 2010, the Joint Forensic Team submitted to the Joint Canvassing Committee its Preliminary Report covering the period of June 4-7, 2010.
The forensic analysis of the PCOS machine continued on the evening of June 7, 2010 until the following day, June 8, 2010. Thus, there were new material findings which were not included in the said Preliminary Report.
Hence, the Joint Forensic Team is submitting its Final Report to the JCC, by way of the letter-report.
The contents of the Preliminary Report, dated June 7, 2010, are deemed incorporated in this letter -report, unless otherwise specified.

Period of Forensic Analysis.
The forensic analysis was conducted from June 4-5, 2010 at the A. Padilla Hall of the Senate of the Philippines and on June 7, 2010 at the Smartmatic warehouse in Cabuyao, Laguna. The said analysis was continued on June 8, 2010 at the A. Padilla Hall of the Senate of the Philippines and terminated at 6:33PM of the same date.
Considering that the JCC was adjourned on June 8, 2010, the mandate of the Joint Forensic Team was considered terminated on the same date, too.

Extracted Hash Code Did Not Match Published Hash Code.
The hash codes is an output of an algorithmic process that will verify if an electronic file is authentic or not. The hash code of an electronic file is always unique - it would change if the content of that electronic file is modified. The hash code is to an electronic file as the fingerprint or DNA is to humans.
The hash codes for the firmware [footnote 1] residing in six (6) PCOS [footnote 2] machines were extracted and found to have exactly the same SHA256 output -
4e1d 993a 8d91 2b00 b75c 0d11 d1f6 aa02
a579 e059 e308 48c0 8f0f 30da 9342 d877
However, a thorough comparison with the official document posted in the website of the COMELEC revealed that the published hash code is not the same as the extracted hash code. Belatedly, the COMELEC representative confirmed that the extracted hash code is the correct one and that the published has code was erroneous.

Absence of Machine Digital Signatures.
Examination of the PCOS machines revealed that there was no evidence found to prove the existence of digital certificates in the PCOS machines, contrary to the claims of Smartmatic. The technicians of Smartmatic were not able to show to the forensic team the machine version of the digital signature, alleging that they do not have the necessary tool to show the same. More so, they were at a quandary as to how to extract the said machine signatures - to the dismay of the forensic team.
If there are digital certificates then these were supposed to be revealed. The forensic team tried to extract the digital signatures but to no avail. Hence, the forensic team is of the opinion that there exists no digital signatures in the PCOS machine.

PCOS Machine Can Be Controlled Through Its Console Port.
The PCOS machine contains a console port [footnote3], which Smartmatic claimed is only a one-way output port, used for diagnostics purposes only. The forensic team, with the allowance of Smartmatic technicians, was able to connect an ordinary laptop computer to the console port of a PCOS machine, via a serial cable provided by the latter.
To the surprise of everyone, the serially connected laptop computer was able to access the operating system of the PCOS machine. Furthermore, the connection was done in an unsecure manner - meaning no username and password was required by the PCOS machine.
The Linux operating system of the PCOS machine was exposed to full access and control via the externally connected laptop computer through its "sash" interface [footnote4]. The "sash" is a command-line interface that allows the user to interact with the PCOS machine.
One can readily issue Unix shell commands (similar to Windows C:\> prompt command line) and take control of the operations of the PCOS machine. The same access can tap the PCOS machine's on-board Random Access Memory (RAM) as a RAM Disk for data swapping and temporary date storage.
This discovery was (and still is ) a major vulnerability of the PCOS machine - which could be exploited to manipulate the actual operations of the PCOS machine - and which should be an utmost concern for election critics and watchdogs.
Smartmatic cannot offer a technical explanation for this major loophole.

Hon. Anne Susano's CF Cards.
The Joint Forensic Team accommodated the request of Hon. Anne Susano (Congresswoman, Quezon City) to subject the CF cards in her possession to forensic analysis.
The forensic team copied her three (3) CF cards and analyzed its file contents. The forensic team is of the opinion that the three (3) CF cards, one (1) of which is a main CF card, are all authentic CF cards, meaning they are all originals and duly issued by Smartmatic or COMELEC.
This finding would then belie the announcement of the COMELECT NCR Director that all the CF cards within Metro Manila had all been accounted for and turned over to COMELEC.

Final Recommendations.
The Recommendations and Conclusions, as embodied in the Preliminary Report remain standing except for Item No. 1, which should now read, as follows:
"1. To allow the forensic team to further explore the console port of the PCOS machine and perform tests as to its capabilities and vulnerabilities. For example, to allow the forensic team to store an executable code in the PCOS machine's RAM disk and verify as to how the PCOS machine will behave with such a load in its RAM."
It is further recommended that the forensic analysis of the PCOS machines be allowed and expanded by the incoming 15th Congress to include those PCOS machines which are subject of electoral protests and suspected of having been used as instruments of electoral fraud.
For your consideration and approval.

Sincerely yours,

For the Joint Forensic Team

1 Software version last compiled on February 4, 2010, 08:35
2 SKU 5802102, SKU 5802105, SKU5802195, SKU580226, SKU5802227, SKU5802236
3 See Annex "I" for visual appreciation
4 See Annex "J" for sample screen shots.

Annex "I"


(Encoding by Jerry Ocampo )

Scanned copy of the Final Joint Forensic Team Report available at:

Office of Sen. Jamby Madrigal (copy of final forensic report)

Jerry Ocampo (encoding of the forensic report)

MIGHT E2010/Maite Quesada (procuring the report copy)

Photo Credits:

Maite Quesada

No comments:

total pageviews since july 2010