A technical lead who was working on a major project has left the organization. The project manager
reports suspicious system activities on one of the servers that is accessible to the whole team. What
would be of GREATEST concern if discoveredduring a forensic investigation?
A.
Audit logs are not enabled for the system
B.
A logon ID for the technical lead still exists
C.
Spyware is installed on the system
D.
A Trojan is installed on the system
Explanation:
Audit logs are critical to the investigation of the event; however, if not enabled, misuse of the logon
ID of the technical lead and the guest account could not be established. The logon ID of the technical
lead should have been deleted as soon as the employee left the organization but, without audit logs,
misuse of the ID is difficult to prove. Spyware installed on the system is a concern but could have
been installed by any user and, again, without the presence of logs, discovering who installed the
spyware is difficult. A Trojan installed on the system is a concern, but it can be done by any user as it
is accessible to the whole group and, without the presence of logs, investigation would be difficult.