COI Report – Part IV Page 139 of 425 suitable for forensic investigations. The forensic tools were in fact installed on Benjamin’s personal laptop, and forensic investigations could only be done on this one computer. 23.3 Obtaining of Citrix server system event logs on 19 and 20 June 2018 419. On 19 and 20 June 2018, Benjamin worked with the Citrix Team to obtain the system event logs of a number of Citrix servers, including that of Citrix Servers 2 and 4, that were involved in the failed attempts at logging into the SCM database on 13 June 2018. The logs for Citrix Server 1 were provided to Benjamin earlier. 23.4 Ernest’s actions after his return to Singapore on 18 June 2018 420. Although Ernest was added to the TigerConnect chat group on 13 June 2018, he was on overseas leave from 9 to 17 June 2018, and did not participate in the discussions, or provide any directions to the SIRT in this time. While he received the messages sent by members of the chat group as they were being sent, Ernest simply opened the TigerConnect application in order to dismiss the notifications, and did not read the messages until 18 June 2018, when he was back in Singapore. 421. Having read the TigerConnect messages upon his return, Ernest was generally aware that the team was trying to locate workstations with unusual hostnames and had taken some forensic images, but the team was unsuccessful in their efforts to locate VM 1 and VM 2. Ernest saw the messages from Benjamin on 13 June 2018 stating that an “incident was ongoing”, and that someone had “obtained local admin credentials” and was “try[ing] to login to the SCM production database”. However, Ernest has explained that he was “not concerned”, as “there was nothing to be concerned about while awaiting the results of forensic analysis” on the forensic images that had been collected.
|