election integrity investigation — methodology

chain of custody — before any of the path

ballot images, .eml files, and scanner exports are evidence objects. treat them like exhibit bags: write down who collected what, from which system, at what UTC time, and on what workstation. hash sha-256 before opening files in any tool. do not re-save ballot PNGs through chat apps, social platforms, or screenshot tools — recompression destroys the metadata chain election officials need. if the county already has a canonical copy in the ballot-image repository, request that version through official channels rather than analyzing a reposted JPEG from social media alone.

1. record case number, jurisdiction, and which election official authorized the review — these tools analyze files; they do not replace statutory recount or audit procedures.
2. preserve original .eml for spoof mail — never forward as inline text; forwarding strips authentication headers.
3. hash and copy ballot images read-only; note scanner workstation, export path, and whether the file came from the tabulation room, a public records request, or a social repost.
4. document every tool pass on a copy — not the sole vault original if one exists.
5. do not publish interim findings as official results — route technical output to county elections, the secretary of state elections division, or designated counsel first.

what evidence exists and how fast it dies

the first 10 minutes

1. notify the county elections director or designated security contact — do not circulate disputed ballot images publicly before official review.
2. pull reported spoof mail as original .eml from the recipient mailbox or mail gateway quarantine.
3. export the matching official thread from grantcounty.gov or your jurisdiction's real domain for side-by-side comparison.
4. hash sha-256 every disputed image and text file; record UTC collection time and collector identity.
5. request the canonical ballot-image copy from the elections office if the dispute started on social media.
6. preserve filesystem metadata on precinct JPEGs — copy with timestamps intact or note mtime in the log.
7. save the first-seen disinfo press release or notice as plain text — not a screenshot of a screenshot.
8. do not re-encode ballot images for “clarity” — recompression destroys ELA and metadata signals.
9. open an internal ticket referencing the election event date and precinct — not candidate names in the subject line if your policy restricts that.
10. begin the path below on forensic copies, not the sole vault original.

the path

the grant fixture orders evidence the way real election-dispute triage often arrives: spoof mail first, then disinfo text, then ballot imagery and metadata drift. steps 1–2 are mail authentication; step 3 is text provenance; steps 4–7 are image and metadata chain; step 8 packages findings for election officials.

1. 1. email spoofing and SPF/DKIM/DMARC header validator

   02-spoofed-election-night-email.eml. surfaces authentication failures on elections-grantcounty.org lookalike mail — DMARC fail, envelope/from mismatches, and header gaps election officials need before they warn the public.why first: election-night spoof mail spreads faster than ballot forensics. validate headers on the original .eml before anyone forwards a screenshot that strips authentication context.

2. 2. email impersonation pattern detector

   spoofed 02-spoofed-election-night-email.eml against legitimate 03-legitimate-elections-thread.eml from grantcounty.gov. flags display-name impersonation, domain lookalikes, and reply-to hijacks targeting elections staff.why second: a single failed SPF is not the story — compare the spoof thread to the official county thread so counsel can show what voters and staff were meant to believe.

3. 3. ai generated text provenance analyzer

   04-ai-disinfo-press-release.txt. surfaces LLM-style structure, transition density, and provenance tells in fabricated election notices — the grant fixture includes a synthetic disinfo press release seeded for this pass.why third: forged text spreads on social before images do. text provenance gives election officials a documented baseline before they issue a correction.

4. 4. copy move detector

   05-tampered-ballot-composite.png. block-matching scan for cloned ballot regions — the grant fixture includes a composite where ballot marks were duplicated between races.why fourth: ballot-image disputes hinge on whether marks were physically duplicated in-camera or pasted digitally. copy-move runs before metadata genealogy so you know where to look.

5. 5. jpeg metadata analyzer

   20241105_precinct14_ballot.jpg. compares EXIF timestamps, filename date tokens, and filesystem mtime — the grant fixture includes drift between precinct 14 naming and embedded capture metadata.why fifth: chain-of-custody questions often start with “when was this scan taken?” JPEG internal metadata vs external labels is the first objective check.

6. 6. image metadata forensics

   ballot PNG set — 06-synthetic-ballot-image.png, 07-authentic-ballot-scan.png (A1111 parameters tEXt), 08-stripped-ballot-social.png. cross-file chunk inventory, generation parameters, and strip-and-repost gaps.why sixth: a ballot image posted to social is rarely the scan-room original. image metadata forensics ties the circulating file back to scanner export or generator parameters.

7. 7. document metadata genealogy tracer

   07-authentic-ballot-scan.png vs 08-stripped-ballot-social.png plus related exports. links author/creator edges, template clusters, and metadata removal between the vault copy and the public post.why seventh: election contests need a file family tree — which export came from which workstation, and what was stripped before upload.

8. 8. case report generator

   structured findings, examiner notes, dates, and hashed evidence files. assembles tool outputs into a local PDF report suitable for county elections, secretary of state intake, or outside counsel.why last: election officials and courts need one chain-of-custody package — not eight separate browser exports.

common false leads

• one suspicious email proves the election was stolen — spoof mail proves authentication failed on that message, not the certified outcome. election officials reconcile with tabulation records.
• AI-style text equals foreign influence — LLM tells are heuristic. provenance supports investigation; it does not replace attribution or intelligence analysis.
• copy-move hit equals ballot fraud — copy-move flags duplicated regions for expert review. scanner artifacts and fold marks can mimic clones; pair with chain of custody.
• missing EXIF means tampering — social platforms strip metadata by default. compare against the vault original, not a Facebook re-export alone.
• JPEG filename date matches EXIF so the file is authentic — filename tokens and mtime can disagree with embedded capture time; that drift is exactly what step 5 checks.
• viral post timestamp equals scan time — post time is platform metadata, not ballot-room metadata.
• browser tools replace a statutory recount — they surface technical indicators for officials and counsel; they do not certify winners or losers.

what we can tell you, what we can't

we can tell you:

• SPF / DKIM / DMARC header results on preserved .eml files
• display-name and domain lookalike patterns vs an official county thread
• LLM-style text structure hints on disputed notices and press releases
• copy-move regions on ballot image composites (heuristic, not legal proof alone)
• JPEG EXIF vs filename vs mtime inconsistencies on precinct scans
• PNG chunk and generation-parameter inventory across ballot image branches
• metadata genealogy edges between vault export and stripped social repost
• hashed evidence manifest assembled into a structured local PDF report

we can't tell you:

• who won or lost an election — certified results come from election officials
• prove foreign government attribution from text or image heuristics alone
• replace a statutory recount, risk-limiting audit, or hand count
• access tabulation systems or voter rolls without official authorization
• recover metadata after destructive re-export if no vault original exists
• guarantee copy-move findings in court without expert review and chain of custody
• issue public corrections — that is the elections office's role

handing it off

• county elections office / county clerk: sha-256 manifest, original .eml set, ballot image copies with collection notes, tool output PDF — request through official intake, not social media.
• secretary of state elections division: cross-jurisdiction spoof domains, disinfo text samples, timeline of first-seen artifacts — many states operate election security hotlines.
• state or local law enforcement (when authorized): preserved headers, domain list, hashed images — only when the elections office or counsel directs criminal referral.
• CISA / MS-ISAC (government partners): election infrastructure spoofing and disinfo campaigns affecting multiple jurisdictions — coordinate through official government channels.
• outside counsel: chain-of-custody memo, tool limitations spelled out, exhibit list ready for contest or public-records proceedings.
• qualified document examiner: if copy-move or metadata findings will be cited in court — browser heuristics support triage; testimony may require certified examiners.

further reading

• U.S. Election Assistance Commission — election security resources
• CISA — election security
• NIST — voting technology and audit guidance
• MS-ISAC — state and local government security
• EAC — election results auditing overview

reference investigation