Shimomura had almost complete packet traces of the break-in, which allowed him to reconstruct the attack.
It was a trap.
It was not a trap. Shimomura was caught with his proverbials down. His arrogance made him complacent and as such he didnt take the most basic steps to keep the attack out. According to Tsutomo's own account of the incident he was only able to decipher what happened because the attacker(s) didnt clean away the info off the hard drive when they were finished. They rm'd sure but he dd'd the raw disk to another drive and worked through the blocks until he found the two tools that were used to effect the intrusion. He was also able to recover the tcpdump logs that were erased. If the intruder(s) had rm'd the data and THEN done a mkfile that filled the disk with 0's then most of what we know today would not be available. As mentioned a week or two back, filling the unused portions of blocks with 0's would probably also be necessary. As to wether Mitnik is capable of effecting the intrusion, that is yet to be ascertained. He claims no involvement in it and based on whats known of his cracking prowess there is a certain truth to it. He's infinitely better with a phone than a keyboard.