COI Report – Part IV Page 118 of 425 338. The logs also showed that the logins on 11 June 2018 using the LA. account to Citrix Server 1 came from a workstation bearing the hostname of VM 2. This appeared unusual to Lum as it was not a valid hostname. 339. Lum then filtered the logs from Citrix Server 1 to find all logins to the server using the LA. account. He found that the last legitimate login into the server using the LA. account was on 13 October 2017. 340. Lum also found that after 13 October 2017, there had been numerous logins to Citrix Server 1 between 17 May 2018 to 11 June 2018 using workstations bearing hostnames which should not normally have been logging into the Citrix server using the LA. account. Lum noticed the use of workstations VM 1 and VM 2, but did not know where these workstations were located. He also felt that the names of these two workstations were unusual. Lum’s hypothesis was that these were virtual machines running on legitimate workstations that had already cleared IHiS’ network access control measures. 20.3 Discovering that Citrix system event logs for Citrix Server 1 were deleted 341. In the evening of 11 June 2018, Vicky also discovered that the Citrix system event log for Citrix Server 1 had been deleted. As discussed at paragraph 178 (pg 62) above, these logs would have captured the details of all the accounts that logged into Citrix Server 1. The Citrix Team however had access to another set of logs. 342. IHiS staff noted that the record of the log being cleared was reflected as having been carried out by the System account. However, they were unable to explain how the System account had been used in this way, nor identify the person who had deleted the event log. Ordinarily, if the system event log has been deleted, there would be no other record of who had logged into the server. However, IHiS staff had access
