| <<< Case example 2 | Index | Computer intrusion example, cont. >>> |
An intruder gains unauthorized access to a UNIX system.
Intruder is using a Windows computer and stolen Internet ISP account.
Proprietary files are downloaded from UNIX to Windows computer.
(The date-time stamps and MD5 hash values of the files will be the same on both UNIX and Windows systems.)
ISP account logs show that the Windows computer was connected to the Internet at the time of the transfer.
Windows client software recorded target IP address/hostname of the UNIX server.
Remote UNIX directory listings exist on the intruder's hard drive because they were swapped to the memory paging file while the intruder displayed that information on the screen.
The stolen account and password are also stored on the intruder's system.
Transfer log file on the UNIX server keeps records of the tranfered files along with user id and date/time of the download.
All of the above digital evidence may be used to establish the continuity of offense in a connect-the-dots manner.
| <<< Case example 2 | Index | Computer intrusion example, cont. >>> |