What do official forensic reports say about how the Mesa County election system files were copied and transferred?
This fact-check may be outdated. Consider refreshing it to get the most current information.
Executive summary
Officially circulated forensic reports of the Mesa County Election Management System assert that local election-system files were copied off the county’s Dominion EMS server by the county clerk before a vendor “trusted build” update, that those copied images show large numbers of missing or purged log and adjudication records after the vendor update, and that those differences make portions of the digital ballot record unverifiable without paper-ballot comparison [1] [2] [3]. Independent elections and cybersecurity experts, and state election authorities, counter that the publicly released reports and images do not prove votes were altered and that some findings reflect routine Windows behavior or incomplete chain-of-custody, not proven malicious file transfers [4] [5].
1. The forensic reports’ core claim: pre‑ and post‑update disk images show missing databases and logs
Authors of the Mesa County forensic analyses say they examined a disk image taken from the Dominion EMS server and compared it to an image made after Dominion applied a “Trusted Build” update; their technical narrative is that adjudication database records and many system logs present before the update were absent afterward, leaving 25,913 ballots processed before a particular timestamp without confirming companion files and rendering those digital images unverifiable without comparing paper ballots [1] [2].
2. How the copies were obtained and shared, per the reports and contemporaneous reporting
The timeline offered in the reports and reporting is that former Mesa County Clerk Tina Peters (or people working under her authority) copied the EMS server hard drive images prior to Dominion’s update, then provided those images to outside forensic analysts and ultimately to public venues; portions of those images and related files were later published online by third parties such as Ron Watkins and shown at events like the 2021 cyber symposium [6] [7] [3].
3. Alleged mechanism of data removal: the “Trusted Build” and deletion or overwriting of files
The forensic authors attribute the disappearance of logs and some database artifacts to actions tied to Dominion’s “Trusted Build” maintenance process and to subsequent overwrites, asserting that the vendor and the Secretary of State’s office replaced or rebuilt the EMS server in a way that eliminated certain forensic traces and Windows event logs that their analysts expected to find [1] [8]. Some reports assert files required under federal/state retention standards were destroyed or became unrecoverable after those updates [1] [3].
4. Technical specifics disputed by state and outside experts
State and many cybersecurity professionals dispute that the presence or absence of the particular files shown by the Mesa reports proves tampering with votes; they point to benign explanations such as normal Windows event-log rotation or maintenance settings, and emphasize that the forensic work was performed on images produced and provided outside formal chain‑of‑custody controls, which complicates attribution and legal conclusions [4] [5]. Colorado election officials and other experts say the analyses do not demonstrate votes were flipped and that the presence of tools like Microsoft SQL Server Management Studio alone is not proof of illicit import/export of ballots [4].
5. Chain‑of‑custody, authorization, and publication complicate the forensic narrative
Multiple sources note that the disk images used in the public forensic reports were taken by local actors without the participation or authorization of state or vendor stewards, then circulated publicly and sometimes posted on fringe platforms, a sequence that critics say weakens the evidentiary weight of claims; supporters argue that without those unauthorized copies the questions would never have been examined [6] [5]. The resulting partisan and legal battles—criminal charges against people involved in copying or distributing images and a state-ordered “trusted build”—are part of why technical findings have been litigated as much in public discourse as in technical forums [6] [5].
6. What the official forensic reports say — and what they do not prove
In sum, the Mesa County forensic reports assert that copies of the EMS hard drive were taken before a vendor update and that comparing those pre‑ and post‑update images shows missing adjudication records, purged logs, and databases not migrated into the post‑update system—facts the reports present as evidence that portions of the digital election record cannot be verified without paper ballots [1] [2]. Those reports do not, however, establish a definitive, universally accepted chain of technical causation proving that votes were maliciously flipped—an absence repeatedly emphasized by state election officials and outside cybersecurity experts who have critiqued the methods, context, and the attribution of the observed file changes [4] [5].