BernardHenderson/Incident-Response-Investigation

# Incident Response Investigation ## Overview This project documents a simulated incident response investigation involving compromised credentials, malware activity, spyware, and FTP-based data exfiltration. The goal was to analyze forensic evidence, identify the scope of the incident, document indicators of compromise, and prepare an incident response report. ## Scenario A user system was suspected of being involved in unauthorized file transfer activity. Evidence suggested the presence of spyware, possible credential compromise, and confidential data being transferred to an external FTP server. ## Objectives - Analyze PCAP evidence for suspicious network activity - Review disk and email artifacts for signs of compromise - Identify compromised credentials and affected systems - Determine incident priority and scope - Build an incident timeline - Prepare an incident response report ## Tools and Techniques - PCAP analysis - Disk image review - Email artifact analysis - Timeline reconstruction - Indicator of compromise documentation - Incident classification - Evidence reporting ## Key Findings - Confirmed FTP-based exfiltration activity - Identified compromised credentials - Found evidence of malware and spyware activity - Identified affected internal systems and an external FTP destination - Classified the incident as high priority due to confidential data exposure ## Skills Demonstrated - Incident response - Digital forensics - Network traffic analysis - Malware investigation - Evidence documentation - Security reporting - Root cause analysis ## What I Learned This project strengthened my ability to connect evidence from multiple sources, including network captures, emails, disk artifacts, and system indicators. It also helped me practice writing clear incident reports that explain what happened, what systems were affected, and why the incident matters.