COI Report – Part IV Page 146 of 425 24.3 Identifying and seizing Workstation B 443. While Benjamin was unable to understand why two different IP addresses appeared to be associated with the same RDP session, he conducted some searches and found that the first IP address was associated with Workstation B. 444. Benjamin informed Lum and the Citrix Team of the association of the first IP address and Workstation Bat pm on 26 June 2018. Lum has explained that based on his own checks and the information provided by Benjamin, he thought at that point in time that the RDP connection to Citrix Server 2 came from a virtual machine (i.e. VM 2) running from Workstation B. This opinion was shared by Benjamin, who later informed the members of the TigerConnect chat group of his “guess” that the Workstation B was “used as a victim PC to host a virtual machine”, and that the second IP address was that of the virtual machine. 445. Benjamin identified the user of Workstation Band with the user’s permission, Workstation B was seized for forensic investigations on 26 June 2018. Both a memory dump and a forensic image of the hard disk were acquired. 24.4 Imposing firewall blocks for the IP address range for the second IP address 446. As mentioned in paragraph 441 above, Benjamin forwarded Lum and Joanne’s emails to Ernest and the other members of the CERT at pm on 26 June 2018. Given the lack of explanation in Benjamin’s email, Ernest could not understand the emails, and asked Benjamin for clarifications. He instructed Benjamin to try tracing the source of the second IP address, which was associated with VM 2. They determined that the IP address range was not part of the SingHealth network, and they were also unable to determine conclusively if this was a valid IP address. In the circumstances, Ernest arranged for firewall blocks for the IP address range for the second IP address to be imposed as a precaution.
