You are playing into Crowdstrike's own Motte and Baily argument in restricting the words "proof" and "evidence" by substitting their meaning to what amounts to a recording of the attack. That is an impossibly high threshold, but it can more easily defended if you do. They kind of had to considering their actual technical arguments were weak.

"We did not have a sensor in place", as said by Shawn Henry. Yes, Crowdstrike didn't have them, and said they relied on "circumstential evidence", but it seems the DNC did have "sensors" in place, and Crowdstrike had access to them:

From the Mueller report, p. 40 [1], "On April 25, 2016, the GRU collected and compressed PDF and Microsoft documents from folders on the DCCC’s shared file server that pertained to the 2016 election. The GRU appears to have compressed and exfiltrated over 70 gigabytes of data from this file server (See SM-2589105-GJ, serial 649. As part of its investigation, the FBI later received images of DNC servers and copies of relevant traffic logs)" - btw all of this info originally comes from Crowdstrike.

While not pcaps per se, most varieties of such logs would show a different profile for downloading 70Gb "thousands of emails", zip/compressed files, etc, than much shorter instrumentation data for their Malware.

You can't have caught one but not having had the other, X-Tunnel + VPN or not. I mean, there are ways for that to be, but you'd have to have been inept on purpose. I have some trouble believing the DNC IT would considering the general environment back then.

So it followed concerning these point that S. Henry, when pressed for what the circumstantial evidence was for 70Gb to have been exfiltrated, S. Henry said "And there might not be evidence of it being exfiltrated, but they would have knowledge of what was in the email. … There would be ways to copy it. You could take screenshots.".

I mean, c'mon man... "screenshots" ??? You basically got VNC but you "sceenshot" ??? Either Mr. Henry is a fool or takes his House Commitee for one - which the latter may very well be.

IMHO, either of us would have to look at the source code for X-Agent (available) or the Sea Daddy implant (no idea) to see if

1. not having logs of large transfers makes sense in this context, at least in its known variant and

2. are the Crowdstrike declarations coherent in that regard.

Until we do, we're kind of stuck to see whose stretching the argument between you and me.

---

On a related note, but not directly involving Crowdstrike, the Dutch cyberdefense org and the NSA seemingly did have such real-time evidence from 2015-2018.

As far as is publicly known, those particular intercepts weren't shared with the Mueller team, nor the House Commitee inquiry.

It would be interesting to know why if it was not on natsec "ways and means" grounds. If it wasn't, the FBI wouldn't have had to rely on Crowdstrike.

> games with meanings of words.

I don't believe I am.

The context I'm using in both my references above is what is understandable by the layman, not mixing technical "in-knowledge" and what said layman reading the NYT can understand :

- D.A. said to the NYT "the Russians would enter the network, “exfiltrate” documents of interest and stockpile them for intelligence purposes. Once they got into the D.N.C., they found the data valuable and decided to continue the operation". I understand "the operation" is refering to "phishing, exfiltrating, stockpiling".

- Later D.A. says to the commission "We did not have concrete evidence that data was exfiltrated from the DNC". That implies no traffic logs, at all.

But then, we're back, again, to the technical problem outlined earlier.

IMHO, a correct and honest wording to the NYT would have been "We have strong indications Russian hackers may have entered DNC servers, but nothing in logs we do have indicates they did anything with it.

[1] https://www.justice.gov/archives/sco/file/1373816/download

[2] https://www.volkskrant.nl/wetenschap/dutch-agencies-provide-... and https://nos.nl/nieuwsuur/artikel/2213767-dutch-intelligence-...