Related topics

FBI reviewed cybersecurity firm’s evidence in 2016 DNC election hack

September 26, 2019 GMT

CLAIM: The FBI only relied on the word of a cybersecurity firm, CrowdStrike, to determine that Russia hacked the emails of the Democratic National Committee.

AP’S ASSESSMENT: False. CrowdStrike provided forensic evidence and analysis for the FBI to review during its investigation into a 2016 hack of DNC emails.

THE FACTS: Social media posts are wrongly claiming that the FBI failed to review evidence in the hack of the DNC’s computer network before concluding that Russia was responsible for the breach.

The claims circulated widely on Twitter and Facebook after the White House released a rough transcript of a July phone call President Donald Trump had with Ukrainian President Volodymyr Zelenskiy in which he asked Zelenskiy to investigate CrowdStrike.


CrowdStrike is the private U.S.-cybersecurity firm that first helped the DNC identify the malware on its system in 2016 and later traced it back to Russia. The company has identified hacks for major clients that also include the National Republican Congressional Committee and U.S. government.

The FBI never took physical hold of the DNC’s computer system. Instead, it reviewed a wide range of computer forensic evidence provided by CrowdStrike, which is common practice in such investigations.

“With regards to our investigation of the DNC hack in 2016, we provided all forensic evidence and analysis to the FBI,” the firm said in an emailed statement to The Associated Press. “As we’ve stated before, we stand by our findings and conclusions that have been fully supported by the US intelligence community.”

Former FBI Director James Comey also told Congress in 2017 that CrowdStrike “ultimately shared with us their forensics from their review of the system.”

That’s not unusual, said Eugene H. Spafford, a professor of computer science at the Center for Education and Research in Information Security at Purdue University.

Such reviews are a comprehensive copy of what is on the machine at the time and include a replica of saved messages, network connections and active accounts.

“Just making a verified, hardware-level copy of all the bits, all the data that’s stored on the system is sufficient for almost all investigations that would have to be conducted,” said Spafford, who has assisted the FBI in cases.

It’s “generally unnecessary” for law enforcement to physically confiscate a computer during an investigation, especially ones involving a business or organization because they need the computer systems to keep operations going, Spafford added.


He described CrowdStrike as a “well-respected” cybersecurity firm that would have properly recorded evidence in the case so that it could be used in an investigation, as the one conducted by the FBI.


This article is part of The Associated Press’s data verification effort to combat misinformation that is shared online, and includes a collaboration with Facebook to identify and reduce the circulation of fake news circulating in this social network.

Here you will find more information about the Facebook data verification program: