luiscruz-cyber/incident-response-report

# Digital Forensics & Incident Response Report A simulated end-to-end incident response engagement covering user-reported phishing alert → log correlation → forensic timeline → root cause → remediation plan. Demonstrates the SANS PICERL lifecycle (Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned) and aligns with NIST SP 800-61r2 incident handling guidance. This is the kind of work required by SOC 2 (CC7.3 — security incidents), ISO 27001 (A.5.24–A.5.28), HIPAA (164.308(a)(6)), and NYDFS (500.16) — all of which mandate documented incident response processes. ## 🧠 Objectives - Investigate an internal cybersecurity incident - Correlate log and email data to reconstruct attacker actions - Build a forensic timeline and identify root cause - Communicate findings and recommendations to non-technical stakeholders ## 🗂️ Deliverables - **[Email Alert (PDF)](./Cruz_Luis_1_Email_122024.pdf)** — the user-reported suspicious email that triggered the investigation - **[Investigation Report (PDF)](./Cruz_Luis_2_Report_122024.pdf)** — incident overview, technical analysis, and remediation plan - **[Assessment Summary (PDF)](./Cruz_Luis_3_Assessment_122024.pdf)** — risk evaluation and incident response effectiveness review ## 🔍 Topics Covered - Incident detection and triage from end-user report - Email header analysis (SPF / DKIM / DMARC pass/fail interpretation) - Log correlation across email gateway, endpoint, and identity systems - Forensic timeline reconstruction - Root cause analysis and attacker TTP mapping - Containment, eradication, and recovery decisions under time pressure - Communicating findings to leadership without burying them in technical detail ## 📘 Related work - **[compliance-prompts: tabletop exercise generator](https://github.com/luiscruz-cyber/compliance-prompts/blob/main/prompts/general/tabletop-exercise-generator.md)** — LLM prompt for generating IR tabletop scenarios. Built partly from patterns I noticed while doing structured IR analysis like this project.