Finalize Incident Handler’s Journal – My Work

Overview

In this final exercise I reviewed and polished my four journal entries, added a reflective note on my learning journey, and completed the self-assessment. This ensures my incident handler’s journal is complete, consistent, and ready for my professional portfolio.

Scenario

Over the course of the course, I captured investigation steps and tool exercises in my incident handler’s journal template. Now I’ve gone back through each entry to fill out all fields—dates, entry numbers, full descriptions, the 5 W’s, and tools used—then added a reflections section.

My Journal Entries

Date2025-06-10
Entry1
DescriptionI documented a ransomware attack on a clinic, summarizing how patient records were encrypted and operations halted.
Tool(s) usedIncident handler’s journal template, security console logs
The 5 W’s
  • Who: Organized hacker group
  • What: Ransomware encrypting files
  • When: Tue 09:00 AM
  • Where: Clinic network drives
  • Why: To extort ransom
Additional notesEmergency systems were offline; notified IT director and compliance team.
Date2025-06-12
Entry2
DescriptionI analyzed a packet capture with Wireshark, filtering HTTP and DNS traffic to identify client and server IPs.
Tool(s) usedWireshark, BPF display filters
The 5 W’s
  • Who: Security analyst (me)
  • What: Packet inspection
  • When: Wed afternoon
  • Where: Testing VM
  • Why: To learn network filtering
Additional notesNoted HTTP GETs to example.com; DNS TTL values examined.
Date2025-06-14
Entry3
DescriptionI captured live Linux traffic with tcpdump, filtered HTTP port 80 and DNS port 53, and saved the pcap for offline review.
Tool(s) usedtcpdump (live capture, read and write pcap)
The 5 W’s
  • Who: Linux VM user
  • What: tcpdump capture
  • When: Fri morning
  • Where: eth0 interface
  • Why: Practice CLI packet analysis
Additional notesUsed filters port 80 and udp port 53; saw expected DNS queries.
Date2025-06-16
Entry4
DescriptionI created, tested, and verified a custom Suricata rule to detect HTTP requests to example.com in a sample pcap.
Tool(s) usedSuricata, custom.rules, fast.log, eve.json
The 5 W’s
  • Who: Security analyst
  • What: Custom IDS rule
  • When: Mon afternoon
  • Where: Local test environment
  • Why: Learn rule creation
Additional notesRule sid:1000001 fired twice; confirmed in both log formats.

Reflection / Notes

Writing these entries helped me see how each tool fits into a real investigation. I found tcpdump’s simplicity very powerful for quick captures, while Wireshark’s GUI gave me deeper packet insights. Crafting Suricata rules reinforced how signatures map to alerts, and maintaining a structured journal keeps my process transparent and reproducible.

Conclusion

By fully updating each entry and adding my reflections, I’ve ensured my incident handler’s journal is complete, accurate, and ready to share as part of my cybersecurity portfolio.

← Back to Portfolio