Skip to main content
sudoRunner
sudoRunner

CYBER 440: Cybersecurity Capstone Incident Response & Forensics

Cybersecurity Capstone

This portfolio-safe case study summarizes selected CYBER 440 capstone work involving a simulated organizational compromise, phishing-led malware infection, forensic image analysis, network traffic review, memory analysis, log analysis, incident timeline development, impact assessment, and remediation planning.

Course CYBER 440
Project Type Cybersecurity Capstone / Incident Response Case Study
Focus IR · Digital Forensics · Network Analysis · Memory Analysis · Logs
Scenario Simulated Municipal Organization Compromise
Publishing Level Portfolio-Safe / Redacted / No Raw Evidence Files
Professional Angle Security Operations, Incident Response, and Forensic Reporting

Overview
#

CYBER 440 was a cybersecurity capstone course focused on investigating a simulated organizational compromise using multiple evidence sources and analyst workflows.

The project required connecting evidence from:

  • network captures
  • forensic system images
  • Windows event logs
  • memory artifacts
  • suspicious processes
  • user activity
  • email-based compromise indicators
  • ransomware-style artifacts
  • malware-related findings
  • timeline reconstruction
  • business impact analysis
  • remediation recommendations

This page presents the work as a portfolio-safe case study. It does not publish raw evidence files, forensic images, full screenshots, private academic submissions, user account details, exact hashes, or sensitive artifacts.

Why This Project Matters
#

This capstone is valuable because it shows a more complete cybersecurity investigation workflow than a single isolated lab.

A real investigation requires analysts to combine multiple views of the same incident:

  • what happened on the network
  • what happened on endpoints
  • what changed on disk
  • what was visible in memory
  • what logs support the timeline
  • which systems and users were affected
  • which attack vector was most likely
  • what operational impact occurred
  • what should be done next

The project also required communication. Findings had to be converted into a clear status report and final report that could explain the incident, its impact, and recommended remediation steps.

Scenario Summary
#

The capstone scenario involved a simulated compromise affecting multiple organizational systems.

The investigation identified a phishing-led attack path involving a malicious file disguised as a PDF attachment. The suspected infection chain led to malware execution, suspicious processes, remote-access risk, file deletion, ransom-note artifacts, exposed credentials, failed authentication events, and operational disruption.

The strongest working theory was that a phishing email introduced malware into the environment, after which the compromise affected multiple systems and required coordinated incident response.

Portfolio-Safe Redaction Approach
#

Security note: This case study intentionally avoids publishing raw forensic images, packet captures, screenshots, hashes, complete usernames, full email artifacts, private academic files, or step-by-step evidence extraction details.

This page excludes:

  • raw forensic images
  • packet capture files
  • memory dumps
  • full screenshots
  • complete raw logs
  • exact hashes
  • private student identifiers
  • full team submissions
  • complete academic answers
  • sensitive simulated evidence artifacts
  • step-by-step replication instructions

Instead, it summarizes:

  • investigation workflow
  • evidence categories
  • technical themes
  • analyst reasoning
  • incident timeline concepts
  • impact assessment
  • remediation thinking
  • professional lessons learned

Investigation Workflow
#

1

Initial Scope and Evidence Review
#

Reviewed available evidence sources and identified major analysis tracks: network traffic, forensic images, memory artifacts, and Windows/event log data.

Scope

2

Network Analysis
#

Reviewed network captures to identify communication timelines, suspicious email activity, credential exposure concerns, affected systems, and event sequencing.

Network Forensics

3

Forensic Image Analysis
#

Analyzed Windows system images, reviewed user directories, downloads, desktop artifacts, application history, suspicious files, and system folders relevant to compromise investigation.

Disk Forensics

4

Memory Analysis
#

Reviewed memory-related findings to identify suspicious processes, unknown parent-child process relationships, possible hands-on-keyboard activity, and incomplete or obfuscated process metadata.

Memory Analysis

5

Log Analysis
#

Analyzed Windows and server log evidence for failed authentication, anonymous access attempts, service state changes, PTR registration issues, audit failures, and access-related anomalies.

Log Analysis

6

Impact and Remediation
#

Translated technical findings into operational impact, risk exposure, containment priorities, restoration recommendations, and future prevention steps.

Remediation

Evidence Areas
#

Phishing-Led Compromise
#

The investigation identified a phishing-style email with a malicious attachment disguised as a PDF as the likely initial compromise path.

Initial Access

Malware Execution
#

The analysis connected the suspicious file activity to malware execution and remote-access risk, including backdoor-style behavior and potential credential exposure.

Malware Investigation

Forensic Image Review
#

Forensic images were reviewed for user directories, desktop artifacts, suspicious downloads, temp folders, application history, event logs, and evidence of encrypted or suspicious files.

Disk Forensics

Memory Artifacts
#

Memory analysis identified suspicious processes, unusual process relationships, missing or incomplete metadata, and indicators that required further investigation.

Memory Analysis

Windows and Server Logs
#

Log review focused on authentication failures, service state changes, PTR registration issues, anonymous access attempts, and server-management anomalies.

Log Analysis

Incident Reporting
#

Findings were summarized into status reports and a final incident report with executive summary, attack vector analysis, impact assessment, and remediation recommendations.

Reporting

Network Analysis Themes
#

Network analysis focused on understanding communication patterns and timeline evidence.

Key activities included:

  • reviewing network capture time ranges
  • identifying email-related activity
  • supporting the incident timeline
  • looking for suspicious communication patterns
  • connecting network evidence to endpoint findings
  • identifying potential credential exposure concerns
  • mapping communications between affected users and systems

The network evidence helped support the conclusion that the incident was connected to a malicious file delivered through email rather than a simple port manipulation issue.

Forensic Image Analysis Themes
#

Forensic image analysis focused on endpoint artifacts.

Areas reviewed included:

  • user profile directories
  • Documents, Downloads, Desktop, and Pictures folders
  • Windows system folders
  • temporary files
  • suspicious executables
  • browser and application history
  • encrypted or suspicious files
  • Windows event log artifacts
  • hash verification to confirm image integrity

This portion of the work helped connect user activity, suspicious files, ransomware-style artifacts, and endpoint-level evidence to the broader incident timeline.

Memory Analysis Themes
#

Memory analysis focused on volatile artifacts and running processes.

The investigation considered:

  • suspicious process names
  • unknown or missing process metadata
  • suspicious parent-child process relationships
  • command-line visibility
  • process timing
  • possible hands-on-keyboard indicators
  • potential process obfuscation
  • malicious or unknown executable behavior

This reinforced the importance of memory analysis in incident response because disk evidence alone may not fully explain what was happening at runtime.

Log Analysis Themes
#

Log analysis focused on Windows and server events.

The work included review of:

  • failed authentication
  • anonymous access attempts
  • service start/stop behavior
  • PTR registration errors
  • audit failures
  • network share access attempts
  • server-management errors
  • suspicious timing correlations
  • affected Windows and Windows Server systems

Log evidence helped translate individual artifacts into a broader operational picture.

Impact Assessment
#

The incident created risk across several dimensions:

Impact Area
Observed or Inferred Risk
Severity
Confidentiality
Potential credential exposure, sensitive data access, and remote-access malware risk.
High
Integrity
Suspicious file changes, ransom-note artifacts, deleted files, and concerns around audit failures or altered system behavior.
High
Availability
Service disruptions, system instability, file loss, and operational delays affecting IT and business processes.
High
Reputation and Governance
Potential stakeholder confidence issues, policy concerns, incident response maturity concerns, and possible regulatory or compliance exposure.
High

Remediation Recommendations
#

The capstone response emphasized both immediate containment and long-term security improvement.

Recommended actions included:

  • isolate affected systems
  • preserve evidence for forensic review
  • conduct complete forensic analysis
  • identify all compromised accounts and processes
  • remove malware and unauthorized processes
  • reset affected passwords
  • strengthen authentication
  • improve network monitoring
  • update security policies
  • conduct security awareness training
  • perform recurring vulnerability assessments
  • update the incident response plan
  • document lessons learned
  • communicate clearly with stakeholders during recovery

These recommendations are useful because they connect technical findings to operational decision-making.

Capability-to-Evidence Map
#

Capability
Evidence from CYBER 440
Status
Incident Response
Investigated phishing-led compromise, identified affected systems, built incident timeline, summarized impact, and recommended containment and recovery actions.
Completed
Network Forensics
Reviewed network captures, communication timeline, email activity, packet-scale evidence, and suspicious access concerns.
Completed
Digital Forensics
Analyzed Windows forensic images, user directories, suspicious files, downloads, desktop artifacts, temp folders, application history, and event logs.
Completed
Memory Analysis
Reviewed suspicious processes, process metadata gaps, process relationships, and possible runtime indicators of compromise.
Completed
Log Analysis
Reviewed authentication failures, anonymous access attempts, service state changes, PTR issues, audit failures, and server-side anomalies.
Completed
Executive Reporting
Converted technical findings into executive summary, attack vector analysis, impact analysis, remediation planning, and final incident reporting.
Completed

What I Learned
#

This capstone reinforced several important cybersecurity lessons:

  • incident response requires multiple evidence sources
  • phishing remains one of the most effective initial access vectors
  • endpoint evidence and network evidence must be correlated
  • forensic image analysis helps preserve and reconstruct user/system behavior
  • memory analysis can expose runtime artifacts that disk analysis may miss
  • logs are essential for timeline reconstruction and access review
  • suspicious processes need context from disk, memory, logs, and network data
  • impact analysis should include confidentiality, integrity, availability, operations, reputation, and governance
  • remediation must include both immediate containment and long-term prevention
  • final reporting matters because technical findings must be understandable to decision-makers

Professional Relevance
#

This project supports roles involving:

  • cybersecurity analysis
  • security operations
  • incident response
  • digital forensics
  • vulnerability management
  • malware investigation
  • threat analysis
  • security consulting
  • governance-aware security reporting

It also supports my ServiceNow SecOps direction because incident response and Vulnerability Response both require structured triage, ownership, remediation tracking, validation, documentation, and stakeholder communication.

Portfolio-Safe Redaction Notes
#

This case study intentionally excludes:

  • raw forensic images
  • raw packet captures
  • memory dumps
  • private screenshots
  • complete raw logs
  • exact hashes
  • private user details
  • full academic submissions
  • full team report content
  • step-by-step evidence extraction details

The goal is to show investigation workflow, reasoning, and security communication without exposing raw evidence or sensitive academic materials.

Related Portfolio Areas#

Security Operations
#

This capstone supports SOC-style work through triage, evidence review, timeline reconstruction, and escalation-oriented reporting.

SOC-Relevant

Digital Forensics
#

The project included forensic image review, endpoint artifact analysis, application history review, suspicious files, and event log review.

Forensics

Incident Response
#

The project required identifying compromise mechanism, affected systems, impact, and immediate/long-term remediation steps.

Incident Response

ServiceNow SecOps
#

The workflow maps naturally to SecOps concepts such as incident triage, ownership, remediation tracking, documentation, and validation.

SecOps-Relevant

Next Steps
#

This capstone could later be expanded with:

  • a sanitized incident timeline diagram
  • a portfolio-safe IR lifecycle diagram
  • a detection-to-remediation workflow map
  • a ServiceNow Security Incident Response mapping concept
  • a lessons-learned table
  • a mock executive incident report template

For now, this page serves as the main portfolio-safe summary of my CYBER 440 cybersecurity capstone work.