Reading, re-reading, and re-reading again is sometimes required to make finds. In re-reading the Shawn Henry (Crowdstrike) transcript, I had a couple interesting finds.

As we’ve pointed out before, with Crowdstrike coming on scene in early May, five weeks is a long time for a remediation event to happen after Alperovitch has said in public reporting they had discovered Russians active in the network immediately.

But once the remediation event came, it would be unfathomable not to image the servers. This is especially true as Mr. Henry describes over 100 contacts between Crowdstrike and the FBI, with them asking for computer images:

Crowdstrike summarizes this page of testimony in their blog by stating:

The most natural reading is that Crowdstrike was providing digital images in the summer and maybe handling some follow up questions until December.

But…

As we have also pointed out before, in exhibit 147 of the Sussmann trial, the FBI was asking for those system images and all manners of data, and even for unredacted copies of Crowdstrike’s reports as late as September 30, 2016:

Based on the reading of Exhibit 151 below, the imaging hadn’t even been done by October 13, 2016. Picture this. The Clinton campaign blasts out a massive campaign blaming Russia for the hack on June 14th. Guccifer 2.0 posts his first blog the next day. Steele is running around with his dossier. Crossfire Hurricane was opened, and investigations into Trump campaign associates were at full steam. They had tried to obtain a FISA warrant on Carter Page already and were days away from obtaining their first against him. And they still hadn’t gotten a single shred of data to analyze the hack with despite attributing the hack to Russia on October 7th.

…and those hundreds of contacts Shawn Henry noted? Why does Sussmann have to offer to put the FBI in touch with Crowdstrike in the middle of October?

These are not actions that are consistent with thinking Russia had hacked a major political party and mounted a massive influence campaign. When did they even get the server images and data they were asking for?