InterviewStack.io LogoInterviewStack.io

Investigative Problem Solving Questions

Covers investigative approaches for complex or information constrained situations, such as incident response and forensic analysis. Topics include handling encrypted or partially corrupted data, dealing with fragmented or deleted artifacts, reconciling conflicting timelines, analyzing incomplete logs, performing multi location investigations, prioritizing limited leads, documenting assumptions, preserving chain of custody where relevant, and making defensible decisions under uncertainty. Candidates should demonstrate methodical evidence collection, hypothesis driven analysis, risk management, and clear explanation of trade offs and next steps.

EasyTechnical
31 practiced
You arrive at an incident where a Windows workstation is powered on and connected to the corporate network. Describe, step-by-step, how you would perform forensic acquisition of attached disk(s) while preserving evidence integrity. Include decisions and procedures for live acquisition versus powering down and offline imaging, tools you would use (e.g., FTK Imager, dd, live-collector tools), the role of write-blockers, network isolation, and how you'd document and verify the image.
HardTechnical
22 practiced
You encounter a LUKS2-encrypted laptop whose header was partially corrupted, but significant ciphertext remains. Describe technical strategies you would attempt to recover access: searching for header backups on the disk, locating keyslots, attempting header reconstruction, using known-plaintext or metadata analysis, and when to escalate to cryptographic specialists or accept that recovery is infeasible. Discuss the practical feasibility and forensic preservation steps.
EasyBehavioral
28 practiced
Describe how you document assumptions, limitations, and confidence levels in a forensic report when evidence is incomplete or ambiguous. Provide an example structure you would use to communicate uncertainty to legal teams (for example: facts, assumption statements, confidence rating, and recommended next steps), and explain how you update documentation when new evidence arrives.
HardSystem Design
29 practiced
Design a tamper-evident audit trail for a forensic analysis platform that records every action (ingest, image acquisition, analysis steps, artifact exports). Specify cryptographic choices (hashing algorithms, HSM-signed attestations), storage model (append-only, WORM, distributed ledger optional), metadata schema (actor, action, parent-hash, timestamp), access control, and the process to allow third parties to independently verify the audit trail during litigation.
MediumTechnical
27 practiced
A file on Host A has an NTFS MFT timestamp of 2022-03-10 03:15:00, but the web server log that references that file shows 2022-03-10 02:45:00. Describe how you would determine the correct timing, identify causes for the discrepancy (for example, timezones, NTP drift, daylight savings, manual clock changes), and reconcile the events so you can present an accurate timeline with documented confidence levels.

Unlock Full Question Bank

Get access to hundreds of Investigative Problem Solving interview questions and detailed answers.

Sign in to Continue

Join thousands of developers preparing for their dream job.