← Interview Prep Portal | Cyberspace Tech Solutions Main Site Book 1-on-1
Module 06 · Cyberspace Tech Solutions Cybersecurity Curriculum

Digital Forensics & Incident Response

~60 minutes of structured interview prep, MCQs, and hands-on simulations covering forensic investigation, evidence handling, and NIST IR framework.

20
Interview Q&As
25
MCQ Questions
4
Simulations
60
Minutes

Learning Outcomes

  • Perform digital forensic investigations following proper methodology
  • Develop and implement incident response strategies using NIST framework
  • Analyse and report on security incidents with correct evidence handling

Topics Covered

#TopicTimeType
1Core Concepts (Forensics, IR, Chain of Custody)10 minReading
2Interview Questions & Answers (20)20 minQ&A
3MCQ Quiz (25 questions)15 minQuiz
4IR Phase Sequencer Simulation4 minSimulation
5Order of Volatility Sorter4 minSimulation
6Incident Type Classifier4 minSimulation
7Forensic Tool Matcher3 minSimulation
💡 Tip: DFIR is one of the highest-demand cybersecurity specialisations. Interviewers focus heavily on the NIST IR framework, order of volatility, and chain of custody. Know these cold.
Core Concepts · ~10 min

DFIR Fundamentals

What is Digital Forensics?

Digital forensics is the practice of collecting, preserving, analysing, and presenting digital evidence in a legally admissible manner. It supports criminal investigations, civil litigation, and internal incident response. The key principle: preserve the original evidence and work only on verified copies.

NIST Incident Response Framework (SP 800-61)

🛡️
1. Preparation

Policies, tools, training, playbooks, SIEM setup

🔍
2. Detection & Analysis

Identify, scope, classify severity, triage

🔒
3. Containment/Eradication/Recovery

Isolate, remove threat, restore operations

📋
4. Post-Incident Activity

Lessons learned, report, improve controls

Order of Volatility (Most → Least Volatile)

#SourceWhy Volatile?
1CPU registers & cacheLost the instant the system is powered off or rebooted
2RAM / running processesCleared on shutdown; contains keys, passwords, active connections
3Swap file / pagefileChanges frequently; may contain RAM overflow data
4Local disk (HDD/SSD)Persistent but files can be overwritten; collect before any writes
5Remote / network logsMay be overwritten by rotation policies
6Archived backupsLeast volatile; stable offsite copies

Key Forensic Principles

  • Chain of Custody: Document every person who handles evidence, when, and why. Any break can invalidate evidence in court.
  • Forensic Image: Bit-for-bit copy of storage media. Verified with MD5/SHA-256 hash before and after. Never analyse the original.
  • Write Blocker: Hardware device preventing any writes to the evidence drive during imaging.
  • MACB Timestamps: Modified, Accessed, Changed (MFT metadata), Born (created). Critical for timeline reconstruction.
  • Anti-Forensics: Techniques attackers use to hide evidence — file deletion, encryption, timestomping, log wiping, steganography.

Key Event Log IDs (Windows)

Event IDMeaning
4624Successful logon
4625Failed logon
4634Account logoff
4648Logon using explicit credentials (runas)
4688New process created
4698Scheduled task created
4720User account created
4732Member added to security-enabled local group
7045New service installed

Forensic & IR Tools

ToolCategoryPurpose
AutopsyDisk ForensicsOpen-source GUI for disk/file analysis, file recovery, keyword search
FTK ImagerImagingCreate forensic disk images; mount images for analysis
VolatilityMemory ForensicsAnalyse RAM dumps; extract processes, network sockets, credentials
WiresharkNetwork ForensicsCapture and analyse network packets (PCAP)
KAPETriageRapid collection of forensic artefacts (fast triage)
VelociraptorEndpoint IRAgent-based endpoint investigation and live response at scale
Sleuth KitDisk ForensicsCommand-line file system analysis (underpins Autopsy)
YARAMalwarePattern-matching rules to identify malware families
🎯 Interview Angle: Be ready to walk through a complete incident response scenario step-by-step. Know NIST phases, what evidence to collect first (order of volatility), and how chain of custody works.
Interview Q&A · ~20 min · 20 Questions

Interview Questions & Model Answers

Click any question to reveal the model answer. Easy Medium Hard

1What is digital forensics and why is it important?Easy
Digital forensics is the process of identifying, collecting, preserving, analysing, and presenting digital evidence in a legally admissible manner. It is important because:
  • It supports criminal investigations involving computers (fraud, cybercrime, child exploitation).
  • It enables organisations to understand how a breach occurred and what was compromised.
  • It provides legally defensible evidence for prosecution or civil action.
  • It identifies attack vectors to prevent future incidents.
💡 Always emphasise "legally admissible" — digital forensics is meaningless if the evidence is inadmissible due to poor handling.
2What is chain of custody and why does it matter?Easy
Chain of custody is a chronological, documented record of who had possession of evidence, when, and for what purpose — from collection to court presentation. It matters because:
  • Any gap or break in chain of custody can make evidence inadmissible in court.
  • It proves the evidence was not tampered with after collection.
  • It assigns accountability at every step of evidence handling.
Documentation includes: description of evidence, date/time collected, who collected it, where stored, every transfer of custody with signatures.
💡 Even for internal IR (no prosecution), maintain chain of custody — the situation may escalate to legal proceedings later.
3Explain the order of volatility in digital forensics.Medium
Order of volatility defines the sequence in which digital evidence should be collected, from most volatile (lost first) to least volatile (persists longest):
  1. CPU registers & cache — lost immediately on power-off
  2. RAM / running processes — cleared on shutdown; contains encryption keys, active connections, running malware
  3. Swap/pagefile — virtual memory overflow from RAM
  4. Local disk (HDD/SSD) — persists but can be overwritten
  5. Remote/network logs — subject to log rotation policies
  6. Backups — most stable, least volatile
💡 Memory (RAM) forensics is crucial in modern investigations — attackers use fileless malware that exists only in RAM, leaving no disk traces.
4What is a forensic image and how is it created?Medium
A forensic image is an exact bit-for-bit copy of a storage medium including all data, deleted files, slack space, and unallocated space. It is created using:
  • Write blocker — hardware device that prevents any writes to the evidence drive during imaging.
  • Imaging tools — dd (Linux), FTK Imager, EnCase, dcfldd
  • Hash verification — MD5 or SHA-256 hash of original and copy must match, proving integrity.
Process: Connect write blocker → attach evidence drive → create image to separate media → hash both → document. Never work on the original; always analyse the image.
💡 Interview question: "Why do we hash a forensic image?" → To prove the copy is identical to the original and has not been modified during analysis.
5What are the 4 phases of the NIST Incident Response framework?Easy
  1. Preparation: Establish IR policy, form IR team, install monitoring tools (SIEM, EDR), create playbooks, conduct tabletop exercises.
  2. Detection & Analysis: Monitor for alerts, triage and classify incidents, determine scope, preserve evidence.
  3. Containment, Eradication & Recovery: Isolate affected systems, remove malware/backdoors, patch vulnerabilities, restore from clean backups.
  4. Post-Incident Activity: Document timeline, lessons learned meeting, update policies and playbooks, file reports.
💡 Remember: NIST IR is SP 800-61. SANS uses a slightly different 6-phase model: Preparation → Identification → Containment → Eradication → Recovery → Lessons Learned (PICERL).
6What is the difference between containment and eradication in IR?Medium
  • Containment: Stopping the spread of the incident without removing the threat. Goal: limit damage while preserving evidence. Actions: isolate network segment, block C2 IP, disable compromised account. Short-term containment (immediate isolation) vs long-term containment (temporary fixes to keep systems running).
  • Eradication: Removing the root cause of the incident. Actions: delete malware, close vulnerability (patch), remove attacker persistence (backdoors, rogue accounts).
Containment comes FIRST — eradication before containment can alert the attacker and cause them to destroy evidence.
💡 Recovery = restoring and validating systems to normal operation after eradication. It comes after eradication, not before.
7What is memory forensics and what can you extract from RAM?Hard
Memory forensics is the analysis of a computer's RAM (volatile memory) to investigate running processes, network activity, and artefacts that exist only in memory. From a RAM dump you can extract:
  • Running processes (including hidden/injected processes)
  • Network connections (active and recently closed)
  • Encryption keys (BitLocker, TrueCrypt keys can be recovered from RAM)
  • Passwords and credentials in clear text
  • Command history and clipboard contents
  • Loaded DLLs and code injection evidence
  • Malware that uses fileless techniques (lives only in memory)
Primary tool: Volatility framework. Common plugins: pslist, netscan, cmdline, dlllist, malfind.
8What is the Volatility framework?Medium
Volatility is an open-source, Python-based memory forensics framework used to analyse RAM dumps (memory images). It supports Windows, Linux, and macOS memory images.

Key plugins:
  • imageinfo — identifies OS version from memory image
  • pslist / pstree — lists running processes
  • netscan — shows network connections
  • cmdline — shows command line arguments of processes
  • malfind — detects code injection (common in malware)
  • dumpfiles — extracts files from memory
  • hashdump — extracts password hashes from Windows registry hive
💡 Fileless malware (PowerShell-based, living-off-the-land) can only be detected through memory forensics — there is no file on disk to find.
9What are MACB timestamps in file system forensics?Medium
MACB timestamps are four metadata timestamps associated with files in NTFS (Windows) file systems, critical for building attack timelines:
  • M — Modified: When the file content was last changed.
  • A — Accessed: When the file was last read/opened.
  • C — Changed (MFT Entry): When the MFT (Master File Table) entry was last changed — includes permission changes, renames.
  • B — Born (Created): When the file was first created.
Attackers use timestomping to modify timestamps and disguise when malware was placed. Analysts cross-reference $MFT timestamps with $LogFile and $UsnJrnl to detect timestomping.
💡 A file with a "Born" timestamp before the OS installation date is a major red flag — it suggests timestamp manipulation.
10What Windows Event Log IDs are important for forensic investigation?Hard
Key Windows Event IDs:
  • 4624 — Successful account logon (Logon Type matters: 2=interactive, 3=network, 10=remote interactive)
  • 4625 — Failed logon (brute force detection)
  • 4648 — Logon with explicit credentials (pass-the-hash, runas)
  • 4672 — Special privileges assigned (admin logon)
  • 4688 — New process created (command execution, malware launch)
  • 4698/4702 — Scheduled task created/modified (persistence)
  • 4720/4722 — User account created/enabled
  • 4732 — Member added to local admin group (privilege escalation)
  • 7045 — New service installed (malware persistence)
  • 1102 — Audit log cleared (attacker covering tracks)
11What is a SIEM and how does it support incident response?Easy
A SIEM (Security Information and Event Management) system collects, aggregates, and correlates log data from across the environment (endpoints, firewalls, servers, applications) to detect threats and support investigations.

In IR, a SIEM:
  • Detection: Correlation rules trigger alerts on suspicious patterns (e.g., multiple failed logins followed by success).
  • Investigation: Centralised logs allow timeline reconstruction across all systems.
  • Evidence: Provides tamper-evident log records for forensic analysis.
  • Threat hunting: Analysts query logs to find indicators of compromise (IOCs).
Popular SIEMs: Splunk, Microsoft Sentinel, IBM QRadar, Elastic SIEM, Chronicle.
💡 SIEM + SOAR (Security Orchestration, Automation, Response) = automated playbook execution when alerts fire.
12How do you handle ransomware as an incident responder?Hard
  1. Detect: AV/EDR alert, user report, encrypted files with ransom note.
  2. Isolate immediately: Disconnect affected systems from network (unplugged or firewall isolation) to stop spread.
  3. Identify: Determine ransomware variant (upload sample to ID Ransomware, VirusTotal). Identify patient zero and initial attack vector.
  4. Preserve evidence: Take RAM dump and forensic image before remediation.
  5. Notify: Escalate to management, legal, PR. Notify law enforcement (FBI IC3, CERT-In). Check for data exfiltration (double extortion).
  6. Assess backups: Verify backups are clean and not encrypted. Test restore procedures.
  7. Eradicate: Rebuild compromised systems from known-good images. Do not decrypt and reuse potentially compromised systems.
  8. Recover: Restore from verified backups. Patch the initial entry point.
  9. Do NOT pay ransom — funds criminals and does not guarantee recovery.
13What is triage in digital forensics?Medium
Triage in digital forensics is the rapid, prioritised collection of the most relevant evidence from a system to answer immediate investigative questions — without performing a full forensic examination. It is used when time, resources, or scale prevents full forensic imaging of every system.

Triage tools like KAPE (Kroll Artifact Parser and Extractor) collect targeted artefacts (browser history, event logs, prefetch files, registry hives, LNK files) in minutes.

Triage answers: Was this machine compromised? What did the attacker do? Do we need a full forensic image?
💡 In an enterprise breach affecting 500 endpoints, triage lets you quickly identify which 5 machines need full forensic examination.
14What is anti-forensics? Give examples.Hard
Anti-forensics refers to techniques used by attackers to destroy, hide, or obscure digital evidence to hinder forensic investigation:
  • File deletion: Deleting files (though sectors often recoverable until overwritten)
  • Secure wiping: Overwriting data multiple times (Gutmann method) to make recovery infeasible
  • Timestomping: Modifying file MACB timestamps to confuse timeline analysis
  • Steganography: Hiding data within images, audio files
  • Log wiping: Clearing Windows Event Logs (Event ID 1102), syslog truncation
  • Encryption: Encrypting files so content is unreadable without key
  • Fileless malware: Operating entirely in RAM, leaving no disk artefacts
  • Rootkits: Hiding processes, files, network connections from the OS
15What is the difference between live forensics and dead-box forensics?Medium
  • Live Forensics (Hot): Performed on a running, powered-on system. Captures volatile data (RAM, running processes, network connections). Risk: slight alteration of evidence by running tools on the system. Required when volatile evidence is critical (fileless malware) or system cannot be shut down.
  • Dead-box Forensics (Cold): Performed on a powered-off system. Drive removed, imaged with write blocker. No volatile data available. Ideal for legal proceedings — evidence is not altered. More thorough disk analysis possible.
💡 Modern best practice: perform live forensics FIRST (capture RAM), then power off for dead-box disk imaging. You get both volatile and persistent evidence.
16What is a runbook/playbook in incident response?Easy
A playbook (or runbook) is a documented, step-by-step procedure for responding to a specific type of security incident. It ensures consistent, repeatable responses regardless of who is on-call.

A good playbook includes:
  • Detection criteria (what triggers this playbook)
  • Initial triage steps
  • Containment actions
  • Evidence collection checklist
  • Escalation contacts and thresholds
  • Eradication and recovery steps
  • Communication templates
  • Post-incident reporting requirements
Examples: Ransomware Playbook, Phishing Playbook, Data Breach Playbook.
💡 In a 3am incident, you don't want responders guessing next steps. A playbook is a decision support tool under pressure.
17What is an IOC (Indicator of Compromise)? Give examples.Medium
An IOC is a piece of forensic evidence that indicates a system has been compromised or attacked. IOCs are used to detect infections and search for related compromises across the environment.

Examples:
  • File-based: MD5/SHA hash of malware file, suspicious file paths (e.g., C:\Windows\Temp\svchost32.exe)
  • Network: Known malicious IP addresses, C2 domain names, unusual outbound ports
  • Registry: Run keys with unusual entries (persistence)
  • Log-based: Specific Event IDs (4688 with suspicious process name), large data transfers
  • Behavioural: Processes making unusual network connections, high CPU from unknown process
IOC sharing platforms: MISP, OpenIOC, STIX/TAXII, VirusTotal.
💡 IOC vs IOA: IOC = what already happened (reactive). IOA = Indicator of Attack = behaviour patterns indicating an attack in progress (proactive).
18What is log analysis and which logs are most important?Medium
Log analysis is the process of examining audit trail records to detect security events, reconstruct attack timelines, and identify compromised systems.

Most important logs:
  • Windows Event Logs: Security, System, Application, PowerShell, Windows Defender logs
  • Firewall logs: Traffic allowed/denied, unusual outbound connections
  • Web server logs (IIS/Apache): URL requests, error codes (403/500), SQL injection attempts
  • DNS logs: Domain queries — detect C2 beaconing, DNS tunnelling
  • Authentication logs: AD/LDAP, VPN, SSO login events
  • Proxy/WAF logs: HTTP traffic, data exfiltration via HTTP POST
19What is the difference between an incident, an event, and an alert?Easy
  • Event: Any observable occurrence in a system or network — benign or malicious. Example: a user logging in, a file being opened, a firewall allowing traffic. Every action generates events.
  • Alert: An event (or correlation of events) that has been flagged as potentially suspicious by a monitoring system (SIEM, IDS). Alerts require investigation — they may be true or false positives.
  • Incident: A confirmed adverse security event that violates security policies, threatens confidentiality, integrity, or availability, and requires a formal IR response. Not every alert becomes an incident.
💡 Scale: Millions of events → thousands of alerts → tens of incidents. The SOC analyst's job is to triage alerts and determine which become incidents.
20How do you calculate the cost/impact of a security incident?Hard
Incident cost calculation (used in post-incident reports and risk assessments):
  • Direct costs: IR team hours, forensic tools/consultants, legal fees, regulatory fines, ransom payments, data recovery costs.
  • Business disruption: Downtime × revenue per hour, lost productivity, SLA penalties.
  • Remediation: Rebuilding systems, patching, new security tool licensing.
  • Reputational: Customer churn, stock price impact, brand damage (harder to quantify).
  • Notification: Breach notification costs (mailing, call centre, credit monitoring for affected parties).
Formula: Total Cost = Direct Costs + Downtime Cost + Remediation + Legal/Regulatory + Reputational
💡 IBM/Ponemon 2024: Average data breach cost = $4.88M globally. Healthcare breaches average $9.77M — highest of any sector.

MCQ Quiz · ~15 min · 25 Questions

Multiple Choice Questions

Select an answer then click Check. Explanations shown after each submission.

Progress:
0 / 25
Simulation 1 · ~4 min

IR Phase Sequencer

The 4 NIST IR phases are shown below in a scrambled order. Click a phase to select it (highlighted in blue), then click another to swap positions. Get them in the correct order.

Simulation 2 · ~4 min

Order of Volatility Sorter

Drag the evidence sources and drop them into order from most volatile (top) to least volatile (bottom).

Evidence Sources (drag from here):

Your Order (most → least volatile):

Simulation 3 · ~4 min

Incident Type Classifier

Read each scenario and classify it using the dropdown.

Simulation 4 · ~3 min

Forensic Tool Matcher

Match each tool to its primary purpose using the dropdown.

🎉

Module Complete!

You've completed Digital Forensics & Incident Response.