Can a tech savvy person explain to me what kind of information would be stored? Couldn't plenty of votes be altered while the machines are not connected to the internet thus making data records obsolete? Or would such changes be somehow encoded and later recorded if/when they connect to the internet?
Computers, especially servers, often record a tremendous amount of data about actions performed that can be uncovered by digital forensics experts. It's not all-encompassing and the level of detail can be turned up and down, but the controls for exactly what is recorded when and where are not fully understood by most typical administrators.
As for what they may look for, database transaction logs, firewall logs, crash dumps, snapshots, and any scripts or custom binaries would be the primary targets. This information could reveal manual data manipulation outside of coded behavior, connection origins for where data came from and was sent to, and bugs or intentional malevolent code. Deeper forensics could reveal tremendous information about administrative actions performed going right back to when the system was originally set up.
There is an adversarial relationship with complexity though. Bigger environments are more likely to hold more logging data for longer, but forensic pieces will be more spread out as single actions can touch thousands of servers. What constitutes a "server" can get fuzzy as the layers of abstraction deepen through virtualization, containerization, and orchestration. Transient data that is useful for forensics can be rapidly overwritten and fully destroyed as physical servers are given more roles and shared between customers. The haystack can become very big, very fast while the needle stays exactly the same size. At the scale of Amazon, Microsoft, and Google, cooperation with the environment's operators becomes explicitly necessary to make meaningful discoveries.
TL;DR, we can't know in advance. There could be a smoking gun, there could be nothing but scrambled data, there could be data that leads us to look elsewhere but is useless alone, and so on. It's worse than a box of chocolates, because much of what could be found inside depends upon the skill of who is looking.
Can a tech savvy person explain to me what kind of information would be stored? Couldn't plenty of votes be altered while the machines are not connected to the internet thus making data records obsolete? Or would such changes be somehow encoded and later recorded if/when they connect to the internet?
Computers, especially servers, often record a tremendous amount of data about actions performed that can be uncovered by digital forensics experts. It's not all-encompassing and the level of detail can be turned up and down, but the controls for exactly what is recorded when and where are not fully understood by most typical administrators.
As for what they may look for, database transaction logs, firewall logs, crash dumps, snapshots, and any scripts or custom binaries would be the primary targets. This information could reveal manual data manipulation outside of coded behavior, connection origins for where data came from and was sent to, and bugs or intentional malevolent code. Deeper forensics could reveal tremendous information about administrative actions performed going right back to when the system was originally set up.
There is an adversarial relationship with complexity though. Bigger environments are more likely to hold more logging data for longer, but forensic pieces will be more spread out as single actions can touch thousands of servers. What constitutes a "server" can get fuzzy as the layers of abstraction deepen through virtualization, containerization, and orchestration. Transient data that is useful for forensics can be rapidly overwritten and fully destroyed as physical servers are given more roles and shared between customers. The haystack can become very big, very fast while the needle stays exactly the same size. At the scale of Amazon, Microsoft, and Google, cooperation with the environment's operators becomes explicitly necessary to make meaningful discoveries.
TL;DR, we can't know in advance. There could be a smoking gun, there could be nothing but scrambled data, there could be data that leads us to look elsewhere but is useless alone, and so on. It's worse than a box of chocolates, because much of what could be found inside depends upon the skill of who is looking.