COI Report – Part IV
Page
128 of
425 compromised by malware again. He also suspected
that the matter raised by the Citrix Team on the morning of 13 June 2018 was a security incident.
376. There was a response from the PHI 1 Workstation when pinged, showing that it was in PHI 1. On 13 June 2018 itself, Benjamin contacted his IHiS colleagues who were based in PHI 1 and asked them to locate the PHI 1
Workstation, and to unplug the power cable. Thereafter, Benjamin acquired the forensic image of the PHI 1 Workstation on the same day. Arranging for the seizure of Workstation Con June 2018 377. Sometime in the afternoon of 13 June 2018, Benjamin had ascertained the user to whom Workstation C was assigned. Benjamin’s colleague contacted
the user on the phone, and they learnt that he was overseas. The user consented to the workstation being seized for forensic investigations.
378. In an email conversation starting from the afternoon of 13 June 2018, Benjamin explained to the user’s head of department that Workstation C was found to be attempting to connect to the SCM database using several different username and password combinations over several days from 22 May to 4 June
2018, and requested for permission to seize the workstation. The head of department gave permission for the workstation to be seized, and further informed Benjamin that the user was overseas and had not used the workstation after 29 May 2018. Thereafter, arrangements were made for Workstation C to be seized on 18 June 2018, with a view to taking a forensic image.
379. This email correspondence was copied to an email
group which included Ernest, who was still on holiday at the time. Shutting down Citrix Server 1 380. On Benjamin’s advice, the Citrix Team exported the server image of
Citrix Server 1 for the CERT to
conduct further investigations, and shutdown
Citrix Server 1 thereafter.
