Forensics/Logs: Another poor exhibit has been added. The test-taken is challenged to look at logs from: IDS, Web server, PC and a database. You can see in the IDS and WWW logs that there is likely OS command injection going on against WWW, causing it to SCP some files off to the attacker. Nothing wild seems to show on the PC or DB.
So, identify the attacker, the victim and maybe something else. But, then you have to choose the correct forensic steps to use on each system. The options are something like: image the machine, digital signature, re-image the machine. As far as I can see, you want to collect the IDS logs and digitally sign them, but that is not an option. You can only digitally sign the whole machine. Much the same is true of the victim. The victim had stuff stolen but was not altered. So, you likely want to image it, digitally sign.
Just figuring out the victim and attacker is worth some points. Good luck with the specific forensic steps. Move on and start racking up points with other questions.