COI Report – Part IV
Page
167 of
425 27.3 Implementing a firewall rule to block all connections to the SCM database from any SGH Citrix server on 5 July 2018 525. On 5 July 2018, the Citrix Team implemented a firewall rule which blocked all connections to the SCM database from any SGH Citrix servers to ensure that the SGH Citrix servers could not be used to access the SCM database.
27.4 Enforcing the use of Privileged Access Management to access the SGH Citrix servers from 5 July 2018 526. The Citrix administrators were also told to access the SGH Citrix servers using only Privileged Access Management (“
PAM”). The use of PAM required factor authentication.
27.5 Forensic examination of Workstation B 527. On 5 July 2018, Benjamin conducted further forensic investigations into the memory dump and hard disk image of Workstation Busing forensic tools.
528. For the forensic investigation of the memory dump, Benjamin detected a suspicious process and file. He took a memory dump of the process and performed an analysis
using an online service, which indicated that this was an unsafe file.
529. Benjamin also searched the memory dump for more unusual
background processes, given what he had learnt previously. Again, he found that there were other suspicious background processes, and analysed them using online tools. The results of one tool indicated “
malicious_confidence_80%”, and another tool indicated that this was an unsafe file. Benjamin prepared a report of his findings from the memory dump of Workstation B. He updated Ernest orally of his findings, and also showed Ernest the report. For the forensic investigations into the hard
disk image of Workstation B, Benjamin also made a number of findings from this.
