Established Fact
The EMS server’s Windows Security Event Log was configured with a maximum retention size of 20 MB and set to automatically overwrite older entries when full. As a consequence, the earliest log entry preserved at the time of forensic audit was dated February 5, 2021 – not November 3, 2020. Every access event, authentication attempt, administrative action, and network connection that occurred during the preparation and conduct of the 2020 general election had been automatically overwritten before auditors arrived. This configuration did not result from storage constraints: the EMS server had over 2 terabytes of free storage. The practical effect was that it is impossible to determine who accessed the EMS, from what IP address, on what dates, or what actions they took during the election cycle.
Citations
Arizona State Senate Hearing on the 2020 Election Audit: https://www.rev.com/transcripts/arizona-state-senate-hearing-on-the-2020-election-audit-in-maricopa-county-july-15 | Rev Transcript
Maricopa County Forensic Audit Volume III: Results Details: https://c692f527-da75-4c86-b5d1-8b3d5d4d5b43.filesusr.com/ugd/2f3470_d36cb5eaca56435d84171b4fe7ee6919.pdf | Cyber Ninjas Audit Report