Incident Response Forensics and Crisis Management Questions
Covers the full spectrum of preparing for, detecting, investigating, containing, and recovering from security and operational incidents, plus managing their business and regulatory impact. Candidates should understand the incident response lifecycle including detection and monitoring, triage and prioritization, containment, eradication, recovery, and post incident review. This includes forensic evidence preservation and analysis practices such as secure collection of logs and artifacts, tamper proofing, chain of custody, immutable storage, timeline building, memory and disk examination fundamentals, and legal and regulatory considerations for evidence. It also covers designing infrastructure and tooling to enable rapid response at scale: logging and telemetry architecture, data retention policies, secure evidence storage, automated collection and alerting, integration with runbooks and response workflows, and readiness of teams and playbooks. Finally, it addresses crisis and stakeholder management skills: incident command and coordination across engineering, security, product, legal, customer support and executive stakeholders, internal and external communications and status updates, customer and regulator notification procedures, postmortem and lessons learned processes, tabletop exercises and drills, and leadership and decision making under pressure.
HardTechnical
98 practiced
You have EDR alerts showing suspicious child processes, DNS logs with high NXDOMAIN rates, and proxy logs showing connections to rare external IPs. Design an artifact correlation strategy to identify likely C2 infrastructure and build a timeline: include the query logic you would use, enrichment steps (passive DNS, WHOIS, reputation), scoring or confidence model, and criteria for escalating to containment.
Sample Answer
**Approach (brief)** I would correlate EDR, DNS, and proxy artifacts to build a scored timeline of likely C2 activity, enrich indicators, then escalate if confidence and impact thresholds are met.**Query logic (examples)** - EDR: find child processes spawned by uncommon parents
sql
-- Splunk/SIEM pseudo
index=edr sourcetype=process_events parent_process IN ("winword.exe","explorer.exe") NOT process IN ("svchost.exe","cmd.exe")
| stats count by host user process parent_process cmdline _time
- DNS: high NXDOMAIN and rare domains
sql
index=dns response_code=NXDOMAIN OR rcode!=0
| stats count by query_name client_ip ttl _time
| where count > 50 OR distinct_client_count > 5
- Proxy: rare external IPs / low-reputation
sql
index=proxy dest_ip NOT IN (known_good_list) | stats count by dest_ip dest_port url _time
- Correlate:
sql
join host [search ...edr for host and _time within -30m..+30m] | join dest_ip [proxy search ...] | join query_name [dns search ...]
**Enrichment steps** - Passive DNS: historical A/AAAA/CNAME for domains; resolve timing of first-seen. - WHOIS: registrant, creation/expiration, privacy service use. - Reputation: VirusTotal, Threat Intelligence Feeds, ASN/Geo. - Network context: ASN revenue, hosting provider (bulletproof host? CDN?), abuse history. - Endpoint artifacts: scheduled tasks, service persistence, signed binaries, MFT timestamps.**Scoring / confidence model (sample weights)** - EDR behavioral indicators (child-of-suspicious parent, encoded cmdline): 30% - DNS signals (recently registered, high NXDOMAIN, rare TLD): 20% - Network signals (low reputation IP, unusual ASN, geolocation): 20% - Enrichment matches (VT malware, threat feed hits): 20% - Temporal correlation (same host/time across logs): 10% Score 0–100: >=75 escalate; 50–74 further investigation/containment prep; <50 monitor.**Timeline construction** - Anchor by earliest EDR execution timestamp, expand ±30–60 minutes to include DNS and proxy hits; chronologically list: process spawn → DNS query → network connection → persistence action. Include hashes, cmdlines, domain/IP, enrichment results.**Escalation to containment (criteria)** - Score >=75 AND one of: confirmed malware hash, active C2 beaconing (periodic callbacks), data exfil attempt, lateral movement. - Immediate containment if high-impact host (domain controller, sensitive data owner) even at score 50+. - Document chain-of-custody, capture memory image and network packet capture before isolation when possible.**Practical notes** - Automate query playbooks in SOAR; record evidence hashes and preserve timelines for forensic admissibility.
MediumTechnical
59 practiced
During a cloud incident you need to preserve ephemeral metadata quickly. Describe automation and manual steps to capture instance metadata (instance IDs, AMI/container digests), ephemeral storage snapshots, VPC flow metadata, security group configs, and any short-lived credentials. Include APIs to use, permissions required, snapshot timing considerations, and how to store metadata immutably.
Sample Answer
**Situation & goal (one line)** During a live cloud incident I must rapidly preserve ephemeral metadata and artifacts so they remain admissible and forensically useful.**Immediate manual steps (first 5–10 min)** - Record instance identifiers: instance ID, AZ, launch time, user/role, public IP. Use cloud console and CLI for quick capture. - Capture running processes/containers: docker ps / crictl ps and container image digests (docker inspect --format='{{.Image}}' CONTAINER). - Export short-lived credentials: grab environment variables, metadata service tokens (curl to instance metadata endpoint). Save to immutable store (see below).**Automation (preferred, scripted)** - Use cloud APIs: - EC2: DescribeInstances, DescribeImages, DescribeVolumes, CreateSnapshot, DescribeSnapshots. - IAM: GetRole, GetSessionToken, ListAccessKeys. - VPC: DescribeFlowLogs, DescribeNetworkAcls, DescribeSecurityGroups. - ECS/EKS: DescribeTasks, DescribeContainers, GetImageManifest (registry APIs). - Orchestration: run a signed Lambda/SSM document that queries metadata endpoints and calls CreateSnapshot with consistent tags and "noReboot" flags as appropriate.**Permissions required** - Read: ec2:Describe*, iam:Get*, ec2:DescribeSecurityGroups, ec2:DescribeVolumes, ec2:CreateTags, logs:CreateExportTask (if exporting flow logs). - Write: ec2:CreateSnapshot, s3:PutObject (immutable store), kms:Encrypt/Decrypt for envelope encryption.**Snapshot timing & consistency** - For volumes with OS activity: take filesystem freeze (fsfreeze) or coordinate a brief quiesce; otherwise use crash-consistent snapshot. Snapshot root then application volumes. Snapshot order: root first, then dependent volumes; record snapshot start/finish times and instance state.**VPC & flow metadata** - Pull VPC flow logs and network ACLs; if streaming to CloudWatch/S3, create export task immediately (logs:CreateExportTask) capturing timeframe. Also capture ENI attachments via DescribeNetworkInterfaces.**Immutability & chain of custody** - Store artifacts (JSON outputs, snapshots, images, creds) to WORM/immutable S3 bucket with Object Lock enabled and kms-encrypted. Record hashes (SHA256) and sign with HSM key. Log actions to tamper-evident audit (CloudTrail with multi-region, aggregated, and immutable logs).**Forensic notes & evidence bag** - Timestamp every action (UTC), record operator, commands, API responses, and chain-of-custody form. Preserve original instance (avoid powering down unless required) and prefer snapshots + forensic images for analysis.
MediumTechnical
75 practiced
Given multiple PCAP files collected from different network segments, describe a methodology to reconstruct lateral movement and identify potential command-and-control channels. Include initial triage steps, tools (Wireshark, Zeek/Bro, tshark), correlation techniques across captures, indicators to prioritize (DNS anomalies, beaconing, uncommon ports), and approaches to handle encrypted traffic.
Sample Answer
**Overview / approach**I would treat the PCAPs as pieces of a timeline puzzle: perform rapid triage per file, extract metadata and indicators, then correlate sessions across captures to reconstruct host-to-host chains and candidate C2 flows.**Initial triage (per PCAP)**- Validate integrity and chain-of-custody, note timestamps/timezones.- Produce summaries: tshark export of conversations, top talkers, protocol distribution, DNS queries, and HTTP hosts.- Tools: tshark (batch exports), Zeek for logs (conn, dns, http, tls, weird), Wireshark for deep dives.**Detailed analysis & correlation**- Run Zeek on each PCAP to generate structured logs; ingest into a central index (ELK, Splunk, or even CSV/SQLite).- Normalize timestamps (UTC) and correlate by IP, MAC, username (if Kerberos/SMB), and TCP/UDP tuples.- Reconstruct lateral movement by linking: - Initial access host → authentication events (SMB/NTLM/Kerberos) → RDP/SMB/PSExec sessions. - Use connection chains and session timestamps to order hops.**Indicators to prioritize**- DNS anomalies: NXDOMAIN spikes, rare domains, fast-flux, abnormal TTLs.- Beaconing: regular periodic connections (use autocorrelation on conn_start times).- Uncommon ports or high-entropy domains, long-lived TLS sessions to unusual IPs.- Suspicious protocols: SMB write after unusual authentication, WMI, RDP sessions initiated from atypical hosts.- Payload indicators: HTTP User-Agent anomalies, uncommon URI patterns.**Encrypted traffic handling**- Extract TLS metadata from Zeek (sni, JA3/JA3S fingerprints, certs) and cluster by JA3 to find C2 families.- Use TLS server certs, SNI, destination IPs and timing patterns to link sessions.- If enterprise keys available, attempt SSLKEYLOG or HTTPS decryption; otherwise use traffic patterns, sizes, and timing analysis (beacon detection) and DNS correlation.**Tools & techniques summary**- Zeek for scalable logs and notice framework, tshark for scripting, Wireshark for packet-level reconstruction, scripts (Python/pandas) for correlation and periodicity detection, Elastic/Splunk for search.- Document chain-of-custody, preserve original PCAPs, produce timeline and IOCs (IPs, domains, JA3s, user accounts) with confidence levels.
HardTechnical
72 practiced
Draft a detection and containment play for a fast-moving ransomware outbreak across a mixed environment of Windows servers, Linux hosts, and endpoints. Include detection signatures and telemetry sources, containment steps (network and host), backup verification and restoration sequencing, legal and regulatory notification triggers, and objective metrics that would inform the difficult decision whether to engage/pay ransom or not.
Sample Answer
**Situation & Objective (role frame)** As a Digital Forensic Examiner I’d draft a play that enables rapid detection, legally defensible containment, and evidence-preserving recovery while providing metrics to advise leadership on payment decisions.**Detection signatures & telemetry sources** - Signatures: rapid recursive file renames/extension changes (e.g., *.encrypt*), creation of ransom notes (README*.txt/.hta), mass shadow copy deletion commands, suspicious PowerShell with Invoke-Expression + base64, Systemd unit creation on Linux, unusual SMB/NetBIOS write patterns. - Telemetry: EDR process trees, Sysmon (process_create, file_delete, network_connect), Windows Defender ATP alerts, auditd/fanotify, Linux Auditd execve, SFTP/SSH logs, DHCP/DNS logs, NetFlow/IPFIX, firewall logs, SIEM correlation.**Containment (evidence-preserving)** - Network: segment affected VLANs, implement ACLs to block SMB (TCP 445), RDP, and known C2 IPs; deploy inline IDS signatures; throttle lateral authentication (Kerberos/NTLM) via conditional access. - Host: isolate affected endpoints in hypervisor or physical quarantine; do not power off forensic targets unless required—collect live memory, volatile artifacts, and full disk images using write-blockers; snapshot VMs where available.**Backup verification & restore sequencing** - Immediate: verify integrity of offline/immutable backups (hashes, air-gapped copies); snapshot chain consistency. - Sequencing: restore critical perimeter services first (AD, DNS) from pre-compromise backups to reestablish authentication; restore file shares in small batches to sacrificial test hosts; validate restored systems for indicators of compromise before reconnecting.**Legal/regulatory triggers** - PII/financial data exfiltration detected → notify DPO and trigger breach notification timelines (GDPR/sector rules). - Ransom demand with confirmed data theft → consult legal counsel and law enforcement (FBI/appropriate agency). Preserve chain-of-custody and avoid destructive changes.**Metrics to inform pay decision** - % of environment encrypted, number of unique backups available and their last good timestamp, confirmed data exfiltrated (yes/no & volume), time-to-recovery estimate vs. business-cost-per-hour, probability of clean restore (forensic validation), legal/insurance constraints, and precedent of decryptor availability for this variant.**Closing / Forensics priorities** - Preserve evidence (memory, logs, images), create timeline, identify initial access and IOCs, ensure restorations are validated, and provide leadership with quantified recovery & legal risk to support pay-or-not decision.
MediumTechnical
63 practiced
Explain the process of building a unified forensic timeline from disparate sources: system and application logs, EDR telemetry, filesystem metadata (MFT, MAC times), memory artifacts, and network captures. Discuss timestamp normalization, handling clock skew and timezone differences, methods for correlating events across multiple hosts, and tools or data formats you would use to manage timelines.
Sample Answer
**Answer (Digital Forensic Examiner perspective)****Overview / goal**Build a single, forensically-sound timeline in UTC that preserves source provenance, allows cross-host correlation, and documents uncertainty (clock skew/tz). I aim to reconstruct sequence of actions (user, system, network) and quantify confidence.**Timestamp normalization**- Convert every timestamp to UTC as ingest step; record original timezone and source.- Use reliable epoch formats (ISO 8601 with Z) and store as integer epoch ms for sorting.- Retain source-specific fields (e.g., Windows FILETIME, MFT entries, pcap packet ts) and parsing metadata.**Handling clock skew & timezone differences**- Identify authoritative references: NTP logs, domain controller Kerberos timestamps, AD replication, EDR heartbeat timestamps.- Estimate per-host skew by comparing events that should be simultaneous (e.g., syslog vs. Windows event for same login, DHCP lease times, captured packet times).- Apply per-host offset correction and record applied offset + confidence. If variable drift exists, use piecewise offsets anchored by synchronization events.- When uncertain, keep events with original ts and add an uncertainty window (± offset).**Correlating across hosts**- Use immutable identifiers: file hashes, process hashes, GUIDs, Kerberos ticket IDs, parent/child PIDs, MAC/IP addresses.- Correlate via network artifacts: pcap session tuples (src/dst IP:port, flow start/stop), HTTP user-agents, and EDR connection IDs.- Leverage filesystem metadata: MFT sequence numbers and USN journal to order file ops on a host when ts ambiguous.- Cross-validate using memory artifacts (volatile process lists, sockets) to confirm process existence at a given time.**Tools and data formats**- Parsing/ingest: Plaso/log2timeline for many formats; custom parsers for vendor EDR exports.- Storage/analysis: Timesketch (ELK backend) or Elasticsearch with Kibana for querying, visualization, and labeling.- For memory: Volatility/Volatility3, Rekall for artifacts; correlate dumped process addresses with executable hashes.- Network: Wireshark/tshark, Zeek for session logs; export Zeek conn/http logs into JSON/CSV.- Forensic suites: The Sleuth Kit/Autopsy, X-Ways for filesystem artifacts; preserve originals and hashes.- Use unified schema (JSON lines) containing: epoch_ms_utc, source, original_ts, host_id, offset_applied, confidence, artifact_type, details.**Practical workflow**1. Acquire images/captures, verify hashes, preserve chain-of-custody.2. Parse sources into canonical event records (UTC) and ingest to timeline store.3. Calculate per-host offsets using sync events; apply corrections and annotate.4. Run automated correlation rules (hash matches, network flows) and manual review for high-confidence sequences.5. Produce timeline visualizations and an evidence-backed narrative with uncertainty bounds.**Key practices**- Never discard original timestamps; always log transformations.- Quantify and document uncertainty from clock skew.- Use reproducible scripts and keep audit trail for legal defensibility.
Unlock Full Question Bank
Get access to hundreds of Incident Response Forensics and Crisis Management interview questions and detailed answers.