IT Security at a large public organization discovered a data breach when a server holding confidential medical information displayed the message that drives were full when they should not have been. Stroz Friedberg was hired to determine the method of intrusion, the motivation of the intruders, the scope of the intrusion and whether confidential data had been accessed and/or downloaded by the intruders. After obtaining network topology and security information, preserving and analyzing evidence on network logs and over 50 compromised computer systems, performing port scans, and capturing memory dumps of systems, Stroz Friedberg identified that the intruders gained access to a desktop connected to the network through weak password controls three months prior to discovery of the hack. The intruders had then used Hacker Defender files to cloak their activities. Following the cyber-trail of the hackers led to a stash of hundreds of pirated movie files stored on the compromised server and remnants of IRC chat exchanges among the intruders reflecting that use of storage capacity was the purpose of the hack. Examination of the sensitive medical information files found no evidence of access or ex-filtration of these files.