I assist with incident response and digital forensics for security breaches and compromises — determining what happened, when, how far it spread, and what the attacker accessed, then providing containment and remediation guidance.
Investigation methodology follows SANS PICERL (Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned). Analysis capabilities: Windows Event Log correlation (logon events, process creation, PowerShell logging, WMI activity); EDR telemetry analysis; network log correlation (firewall, proxy, DNS); cloud audit log analysis (CloudTrail, GCP Audit Logs, Azure Activity Log); SIEM rule development for detection gap closure; memory forensics (Volatility); and disk image analysis.
Deliverables: incident timeline from initial compromise through discovery; kill chain mapping (initial access, execution, persistence, privilege escalation, lateral movement, exfiltration); scope of compromise; attacker artifacts and IOCs; containment recommendations; and post-incident hardening guidance. Executive summary suitable for leadership and legal counsel.
For active incidents, message directly — I prioritize containment guidance first. Collect and preserve logs before they rotate.