The SOC team has detected and confirmed an incident with the following events been initially

correlated: a suspicious out-of-office-hours activity (incl. external flash drive attached) on a

workstation connected to gateway 10; opening of a large number of files on a file server connected to

gateway 9; and a large volume of traffic between the workstation and a DB server connected to

gateway 5. Based on the advice you provided in Question 1 which of the data that has been collected

will be relevant to this case, and what evidence do you expect to derive from there?

This is an ongoing incident and as part of the Incident Response you have been asked to provide

advice on whether they need to start collecting any additional data, if so what type and from where

(both network-based as well as from end-points) - this is in addition to the advice you provided in

Question 1. The approach you advise should be forensically sound so that any evidence collected can

be used in court.

workstation workstation 8 workstation 5 ((41) 15 printer 9 workstation workstation workstation 1 2 printer printer workstation 12 ((41)) 14 10 workstation workstation workstation 13 7 4 workstation workstation printer, 11 workstation workstation workstation workstation workstation workstation workstation workstation workstation