Wow I've been away from this board for too long. So refreshing to say things and actually have people give thoughtful responses. Have been getting used to getting flamed on social media

you seem to think the PHP code was the only thing used, and concluding the hackers were unsophisticated, what is your basis for that belief?
Sorry, definitely didn't mean to imply that, and even if code is PHP that in no way intrinsically implies it is not sophisticated. I'm very language agnostic myself, you can write good or bad code in any language.... though for low level stuff, you certainly can get to it easier in C or C++ which have long been my languages of choice. The reason I conclude that the Hacks were unsophisticated is mainly from public statements and reports which indicate that simple tools were used that are easily obtained and require little experience to use.
It would confirm the content of any logs as far as the from where and when. Also as I said the logs weren't necessarily compromised.
But what would you expect to find in said logs? IP addresses? I've already looked at what they put forward for such evidence, and it looks very contrived. Unless the ISPs were actively sucking up a lot of data on all these IPs you'd still have no idea about what data was going back and forth or who was behind those IPs. ISPs don't log that level of detail on a large scale. It would be outrageously expensive.
Please feel free to quote the report, I didn't notice anything in the report that said or implied what you did.
Which report, the blog post by Counterstrike or the Grizzy Steppe report? My citation was cut and pasted from the blog post.
Because sometimes the hackers have to bring out the more sophisticated tools and leave traces. They do as much as they can with the tools that aren't specific to themselves, but usually that isn't sufficient to compromise the target to the degree required. Also hackers are often careless and leave other traces - such as the times that things are carried out and not carried out. It is also often the case that hackers have hubris and will leave signatures that they figure the investigators will be too dumb to figure out.
Sure, I understand that. But also, it would be easy to use these same tools to generate false signatures, just like the CIA has been doing as documented in the recent "vault 7" wikileaks stuff.
There are also nondeliberate signatures such as order that commands are carried out; what directories are explored first; etc. Decisions that don't matter but there is no reason for any two hackers to choose the same order - but the same hacker will tend to stick to whatever order they happen to choose.
Again, all stuff that could easily be replicated using automation tools. I don't see what this proves.
The logs would provide a signature of what was being done, that a forensic investigator would be able to determine. That is one of the points of logs...
Logs don't necessarily provide a lot of info unless you've gone to painstaking effort to audit the slightest details on your system. Based on what I've seen, I don't think the IT folks in charge of this stuff put that much work or effort into security. I don't think they have a lot to go on there. Certainly in the case of Hillary's private server, the contractors were so inept that they had to go on reddit asking how to do stuff. Not as much is known about the setup at the DNC, but considering how easy it was to get in... I'm assuming it was not better.
It is also consistent with exfilitration designed to limit risk of detection.
That doesn't make any sense. They knew or should have known that there was not much in the way of security in place.
They knew or should have known nothing of the sort. There is different security at different layers. Abnormal traffic is often an ISP level feature, whereas the type of security they compromised is a hosted system.
No, I'm gonna have to disagree. Abnormal traffic at least in the small amounts it would represent to transfer a relatively small compressed email archive is NOT anything that is a normal ISP feature would flag or stop. The signal to noise ratio on something that inconsequential would not be worth dealing with. Yes there could be machine learning algorithms that might flag stuff that isn't normal for a specific connection, but even that stuff makes way more noise than they want to deal with.