Intentional Overwriting of EMS Security Logs via Script Executed 38,478 Times (AZ)

Windows security event logs on the Maricopa County Tabulation and Election Center (MCTEC) Election Management System server – the primary records of who accessed the system, when, and what actions were taken – were deliberately restricted to a maximum file size of 20 MB, causing automatic overwriting of older entries. This configuration alone would predictably destroy election-period records. But the Cyber Ninjas forensic audit and subsequent analysis documented that a script was executed 38,478 times in the days after the Arizona State Senate’s court-authorized subpoena was issued, forcing the logs to roll over and purging all access records covering the November 3, 2020 election period. The earliest retained log entry was February 5, 2021 – the final day of a separate pre-audit access event – meaning no records of the election itself survive. Video surveillance of the MCTEC facility identified three individuals present at the exact time the log-purging script was executing, none of whom have been publicly identified or charged. Senate President Karen Fann’s September 24, 2021 letter to Attorney General Brnovich characterized the overwriting as accomplished by “churning more than 37,000 identical queries several days after the court ordered Maricopa County to produce its election materials.” The result is that no forensic reconstruction of EMS activity during the election is possible from surviving logs.