Digital Forensics & Incident Response
~60 minutes of structured interview prep, MCQs, and hands-on simulations covering forensic investigation, evidence handling, and NIST IR framework.
Learning Outcomes
- Perform digital forensic investigations following proper methodology
- Develop and implement incident response strategies using NIST framework
- Analyse and report on security incidents with correct evidence handling
Topics Covered
| # | Topic | Time | Type |
|---|---|---|---|
| 1 | Core Concepts (Forensics, IR, Chain of Custody) | 10 min | Reading |
| 2 | Interview Questions & Answers (20) | 20 min | Q&A |
| 3 | MCQ Quiz (25 questions) | 15 min | Quiz |
| 4 | IR Phase Sequencer Simulation | 4 min | Simulation |
| 5 | Order of Volatility Sorter | 4 min | Simulation |
| 6 | Incident Type Classifier | 4 min | Simulation |
| 7 | Forensic Tool Matcher | 3 min | Simulation |
DFIR Fundamentals
What is Digital Forensics?
Digital forensics is the practice of collecting, preserving, analysing, and presenting digital evidence in a legally admissible manner. It supports criminal investigations, civil litigation, and internal incident response. The key principle: preserve the original evidence and work only on verified copies.
NIST Incident Response Framework (SP 800-61)
Policies, tools, training, playbooks, SIEM setup
Identify, scope, classify severity, triage
Isolate, remove threat, restore operations
Lessons learned, report, improve controls
Order of Volatility (Most → Least Volatile)
| # | Source | Why Volatile? |
|---|---|---|
| 1 | CPU registers & cache | Lost the instant the system is powered off or rebooted |
| 2 | RAM / running processes | Cleared on shutdown; contains keys, passwords, active connections |
| 3 | Swap file / pagefile | Changes frequently; may contain RAM overflow data |
| 4 | Local disk (HDD/SSD) | Persistent but files can be overwritten; collect before any writes |
| 5 | Remote / network logs | May be overwritten by rotation policies |
| 6 | Archived backups | Least volatile; stable offsite copies |
Key Forensic Principles
- Chain of Custody: Document every person who handles evidence, when, and why. Any break can invalidate evidence in court.
- Forensic Image: Bit-for-bit copy of storage media. Verified with MD5/SHA-256 hash before and after. Never analyse the original.
- Write Blocker: Hardware device preventing any writes to the evidence drive during imaging.
- MACB Timestamps: Modified, Accessed, Changed (MFT metadata), Born (created). Critical for timeline reconstruction.
- Anti-Forensics: Techniques attackers use to hide evidence — file deletion, encryption, timestomping, log wiping, steganography.
Key Event Log IDs (Windows)
| Event ID | Meaning |
|---|---|
| 4624 | Successful logon |
| 4625 | Failed logon |
| 4634 | Account logoff |
| 4648 | Logon using explicit credentials (runas) |
| 4688 | New process created |
| 4698 | Scheduled task created |
| 4720 | User account created |
| 4732 | Member added to security-enabled local group |
| 7045 | New service installed |
Forensic & IR Tools
| Tool | Category | Purpose |
|---|---|---|
| Autopsy | Disk Forensics | Open-source GUI for disk/file analysis, file recovery, keyword search |
| FTK Imager | Imaging | Create forensic disk images; mount images for analysis |
| Volatility | Memory Forensics | Analyse RAM dumps; extract processes, network sockets, credentials |
| Wireshark | Network Forensics | Capture and analyse network packets (PCAP) |
| KAPE | Triage | Rapid collection of forensic artefacts (fast triage) |
| Velociraptor | Endpoint IR | Agent-based endpoint investigation and live response at scale |
| Sleuth Kit | Disk Forensics | Command-line file system analysis (underpins Autopsy) |
| YARA | Malware | Pattern-matching rules to identify malware families |
Interview Questions & Model Answers
Click any question to reveal the model answer. Easy Medium Hard
- It supports criminal investigations involving computers (fraud, cybercrime, child exploitation).
- It enables organisations to understand how a breach occurred and what was compromised.
- It provides legally defensible evidence for prosecution or civil action.
- It identifies attack vectors to prevent future incidents.
- Any gap or break in chain of custody can make evidence inadmissible in court.
- It proves the evidence was not tampered with after collection.
- It assigns accountability at every step of evidence handling.
- CPU registers & cache — lost immediately on power-off
- RAM / running processes — cleared on shutdown; contains encryption keys, active connections, running malware
- Swap/pagefile — virtual memory overflow from RAM
- Local disk (HDD/SSD) — persists but can be overwritten
- Remote/network logs — subject to log rotation policies
- Backups — most stable, least volatile
- Write blocker — hardware device that prevents any writes to the evidence drive during imaging.
- Imaging tools — dd (Linux), FTK Imager, EnCase, dcfldd
- Hash verification — MD5 or SHA-256 hash of original and copy must match, proving integrity.
- Preparation: Establish IR policy, form IR team, install monitoring tools (SIEM, EDR), create playbooks, conduct tabletop exercises.
- Detection & Analysis: Monitor for alerts, triage and classify incidents, determine scope, preserve evidence.
- Containment, Eradication & Recovery: Isolate affected systems, remove malware/backdoors, patch vulnerabilities, restore from clean backups.
- Post-Incident Activity: Document timeline, lessons learned meeting, update policies and playbooks, file reports.
- Containment: Stopping the spread of the incident without removing the threat. Goal: limit damage while preserving evidence. Actions: isolate network segment, block C2 IP, disable compromised account. Short-term containment (immediate isolation) vs long-term containment (temporary fixes to keep systems running).
- Eradication: Removing the root cause of the incident. Actions: delete malware, close vulnerability (patch), remove attacker persistence (backdoors, rogue accounts).
- Running processes (including hidden/injected processes)
- Network connections (active and recently closed)
- Encryption keys (BitLocker, TrueCrypt keys can be recovered from RAM)
- Passwords and credentials in clear text
- Command history and clipboard contents
- Loaded DLLs and code injection evidence
- Malware that uses fileless techniques (lives only in memory)
Volatility framework. Common plugins: pslist, netscan, cmdline, dlllist, malfind.Key plugins:
imageinfo— identifies OS version from memory imagepslist / pstree— lists running processesnetscan— shows network connectionscmdline— shows command line arguments of processesmalfind— detects code injection (common in malware)dumpfiles— extracts files from memoryhashdump— extracts password hashes from Windows registry hive
- M — Modified: When the file content was last changed.
- A — Accessed: When the file was last read/opened.
- C — Changed (MFT Entry): When the MFT (Master File Table) entry was last changed — includes permission changes, renames.
- B — Born (Created): When the file was first created.
- 4624 — Successful account logon (Logon Type matters: 2=interactive, 3=network, 10=remote interactive)
- 4625 — Failed logon (brute force detection)
- 4648 — Logon with explicit credentials (pass-the-hash, runas)
- 4672 — Special privileges assigned (admin logon)
- 4688 — New process created (command execution, malware launch)
- 4698/4702 — Scheduled task created/modified (persistence)
- 4720/4722 — User account created/enabled
- 4732 — Member added to local admin group (privilege escalation)
- 7045 — New service installed (malware persistence)
- 1102 — Audit log cleared (attacker covering tracks)
In IR, a SIEM:
- Detection: Correlation rules trigger alerts on suspicious patterns (e.g., multiple failed logins followed by success).
- Investigation: Centralised logs allow timeline reconstruction across all systems.
- Evidence: Provides tamper-evident log records for forensic analysis.
- Threat hunting: Analysts query logs to find indicators of compromise (IOCs).
- Detect: AV/EDR alert, user report, encrypted files with ransom note.
- Isolate immediately: Disconnect affected systems from network (unplugged or firewall isolation) to stop spread.
- Identify: Determine ransomware variant (upload sample to ID Ransomware, VirusTotal). Identify patient zero and initial attack vector.
- Preserve evidence: Take RAM dump and forensic image before remediation.
- Notify: Escalate to management, legal, PR. Notify law enforcement (FBI IC3, CERT-In). Check for data exfiltration (double extortion).
- Assess backups: Verify backups are clean and not encrypted. Test restore procedures.
- Eradicate: Rebuild compromised systems from known-good images. Do not decrypt and reuse potentially compromised systems.
- Recover: Restore from verified backups. Patch the initial entry point.
- Do NOT pay ransom — funds criminals and does not guarantee recovery.
Triage tools like KAPE (Kroll Artifact Parser and Extractor) collect targeted artefacts (browser history, event logs, prefetch files, registry hives, LNK files) in minutes.
Triage answers: Was this machine compromised? What did the attacker do? Do we need a full forensic image?
- File deletion: Deleting files (though sectors often recoverable until overwritten)
- Secure wiping: Overwriting data multiple times (Gutmann method) to make recovery infeasible
- Timestomping: Modifying file MACB timestamps to confuse timeline analysis
- Steganography: Hiding data within images, audio files
- Log wiping: Clearing Windows Event Logs (Event ID 1102), syslog truncation
- Encryption: Encrypting files so content is unreadable without key
- Fileless malware: Operating entirely in RAM, leaving no disk artefacts
- Rootkits: Hiding processes, files, network connections from the OS
- Live Forensics (Hot): Performed on a running, powered-on system. Captures volatile data (RAM, running processes, network connections). Risk: slight alteration of evidence by running tools on the system. Required when volatile evidence is critical (fileless malware) or system cannot be shut down.
- Dead-box Forensics (Cold): Performed on a powered-off system. Drive removed, imaged with write blocker. No volatile data available. Ideal for legal proceedings — evidence is not altered. More thorough disk analysis possible.
A good playbook includes:
- Detection criteria (what triggers this playbook)
- Initial triage steps
- Containment actions
- Evidence collection checklist
- Escalation contacts and thresholds
- Eradication and recovery steps
- Communication templates
- Post-incident reporting requirements
Examples:
- File-based: MD5/SHA hash of malware file, suspicious file paths (e.g.,
C:\Windows\Temp\svchost32.exe) - Network: Known malicious IP addresses, C2 domain names, unusual outbound ports
- Registry: Run keys with unusual entries (persistence)
- Log-based: Specific Event IDs (4688 with suspicious process name), large data transfers
- Behavioural: Processes making unusual network connections, high CPU from unknown process
Most important logs:
- Windows Event Logs: Security, System, Application, PowerShell, Windows Defender logs
- Firewall logs: Traffic allowed/denied, unusual outbound connections
- Web server logs (IIS/Apache): URL requests, error codes (403/500), SQL injection attempts
- DNS logs: Domain queries — detect C2 beaconing, DNS tunnelling
- Authentication logs: AD/LDAP, VPN, SSO login events
- Proxy/WAF logs: HTTP traffic, data exfiltration via HTTP POST
- Event: Any observable occurrence in a system or network — benign or malicious. Example: a user logging in, a file being opened, a firewall allowing traffic. Every action generates events.
- Alert: An event (or correlation of events) that has been flagged as potentially suspicious by a monitoring system (SIEM, IDS). Alerts require investigation — they may be true or false positives.
- Incident: A confirmed adverse security event that violates security policies, threatens confidentiality, integrity, or availability, and requires a formal IR response. Not every alert becomes an incident.
- Direct costs: IR team hours, forensic tools/consultants, legal fees, regulatory fines, ransom payments, data recovery costs.
- Business disruption: Downtime × revenue per hour, lost productivity, SLA penalties.
- Remediation: Rebuilding systems, patching, new security tool licensing.
- Reputational: Customer churn, stock price impact, brand damage (harder to quantify).
- Notification: Breach notification costs (mailing, call centre, credit monitoring for affected parties).
Total Cost = Direct Costs + Downtime Cost + Remediation + Legal/Regulatory + ReputationalMultiple Choice Questions
Select an answer then click Check. Explanations shown after each submission.
IR Phase Sequencer
The 4 NIST IR phases are shown below in a scrambled order. Click a phase to select it (highlighted in blue), then click another to swap positions. Get them in the correct order.
Order of Volatility Sorter
Drag the evidence sources and drop them into order from most volatile (top) to least volatile (bottom).
Evidence Sources (drag from here):
Your Order (most → least volatile):
Incident Type Classifier
Read each scenario and classify it using the dropdown.
Forensic Tool Matcher
Match each tool to its primary purpose using the dropdown.
Module Complete!
You've completed Digital Forensics & Incident Response.