A technical lead who was working on a major project has left the organization. The project manager
reports suspicious system activities on one of the servers that is accessible to the whole team.
What would be of GREATEST concern if discoveredduring a forensic investigation?
Audit logs are not enabled for the system
A logon ID for the technical lead still exists
Spyware is installed on the system
A Trojan is installed on the system
Audit logs are critical to the investigation of the event; however, if not enabled, misuse of the logon
ID of the technical lead and the guest account could not be established. The logon ID of the
technical lead should have been deleted as soon as the employee left the organization but, without
audit logs, misuse of the ID is difficult to prove. Spyware installed on the system is a concern but
could have been installed by any user and, again, without the presence of logs, discovering who
installed the spyware is difficult. A Trojan installed on the system is a concern, but it can be done
by any user as it is accessible to the whole group and, without the presence of logs, investigation
would be difficult.