Multi Device and Cross Platform Investigation Questions
Covers forensic and incident response approaches when evidence spans multiple device types and computing platforms. Topics include identifying and acquiring relevant data from desktops and laptops running different operating systems, mobile devices, network equipment, servers, cloud storage and virtual environments, and Internet of Things devices; preserving chain of custody and applying appropriate acquisition methods for each platform; triage and prioritization when systems are interdependent; correlating artifacts and logs across disparate sources to build unified timelines; handling synchronization and timestamp discrepancies across time zones and clocks; understanding how compromise can propagate across infrastructure and how to map cross system attack paths; normalizing and enriching heterogeneous artifacts for analysis; and using tooling, automation, and collaboration practices to coordinate multi team investigations safely and efficiently.
HardTechnical
101 practiced
Given endpoint artifacts, firewall logs, cloud API logs, and container metadata, describe a practical method to map an attack path that demonstrates initial compromise, lateral movement, privilege escalation, and data exfiltration. Include data models, correlation techniques, timelines, and tools or visualizations you would use to represent the attack path to technical and non-technical stakeholders.
Sample Answer
**Approach overview**Start by treating artifacts as nodes in an evidence graph and reconstruct a timestamped chain-of-custody to prove chronology: initial access → persistence → lateral movement → privilege escalation → data staging → exfiltration. Use MITRE ATT&CK to label TTPs and support forensic assertions.**Data model**- Node types: Host, Container, IP, User, Process, File, API Call, Firewall Session, Cloud Event (IAM change, S3 access).- Edge types: process_spawned, network_connection, file_read/write, api_call, auth_success/fail, container_join.- Key attributes: timestamp (UTC), PID/PPID, container_id, image_hash, user_id, session_id, src/dst IP, cloud_request_id, file_hash.**Correlation techniques**- Primary keys: file hashes, container IDs, process lineage, cloud request IDs.- Temporal correlation: sliding windows + causal ordering using process start/stop times.- Identity correlation: map cloud principals to host users via session tokens or API keys.- Enrichment: DNS/Geo IP, threat intel for C2, MITRE tags.**Timeline & reconstruction**- Build ordered event stream per host/container; collapse benign noise via whitelists.- Create causal chains by following process_spawned + network_connection edges; mark confidence levels.- Use queryable graph DB (Neo4j/Arango) to run path-finding (shortest path, temporal path) and label with ATT&CK tactics.**Tools & workflows**- Ingest: Zeek/Suricata, Sysmon, Velociraptor, osquery, cloudtrail/CloudWatch, firewall logs, container runtimes.- Indexing/correlation: ELK or Splunk for raw search; ship structured events to a graph DB for path analysis.- Forensic validation: full-disk/container image acquisitions, VSS, timestomping checks, memory captures.- Analysis: Neo4j for graph queries, Jupyter/Pandas for timeline tables, Sigma rules for hunting.**Visualizations for stakeholders**- Technical: interactive directed graph (Neo4j Bloom/Cytoscape) with edge types and timestamps; expandable process lineage; IOC overlays.- Non-technical/exec: swimlane timeline showing stages (Initial Access → Exfil) with impact metrics (hosts affected, data volume), Sankey diagram for data flow, and a 1‑slide narrative mapping cause → detection gaps → remediation.- Reports: reproducible timeline + chain-of-custody appendix, hashes, queries used, and confidence scoring.**Outcome & evidentiary rigor**Document each link with source logs, timestamps, and hashes; preserve images and export graph queries. Use MITRE ATT&CK mappings to prioritize containment and remediation. This approach yields a defensible, visual, and queryable attack path reconstruction suitable for legal and IR audiences.
HardSystem Design
76 practiced
Design a secure, auditable enterprise evidence repository that supports immutable storage, tamper-evident manifests, multi-team access with least privilege, provable chain-of-custody, and integration with SIEM and case management workflows. Describe key cryptographic controls, access controls, audit mechanisms, and operational processes to prevent and detect tampering.
Sample Answer
**Clarify requirements & constraints**- Immutable, tamper-evident storage; provable chain-of-custody; multi-team least-privilege access; SIEM and case-management integration; legally defensible audit trail.**High-level design**- Evidence ingested via authenticated collectors → staging → notarization service → immutable store + manifest ledger → case-management/SIEM connectors.- Storage: WORM-backed object store (S3 Object Lock/GovCloud or on-prem WORM), encrypted at rest with KMS/HSM.**Cryptographic controls**- Per-object: SHA-256 content hash; store hash in signed manifest.- Manifest: Merkle tree of batch evidence; root signed by an HSM-held ECDSA key.- Timestamping: RFC 3161 TSA or blockchain anchoring for external non-repudiation.- Key management: HSM for signing keys, split knowledge for key rotation, audit of key usage.**Access controls**- RBAC + ABAC: roles (examiner, reviewer, legal, custodian). Attributes: case-id, clearance, need-to-know.- Authentication: SSO (SAML/OIDC) + MFA + device posture checks.- Separation of duties: ingestion, signing, and review are distinct roles with enforced approvals (2-person for release).**Audit & tamper detection**- Append-only audit log (immutable, replicated) with every action recorded and signed. Ship to SIEM via TLS syslog; alerts for anomalies (hash mismatch, unsigned writes, late timestamps).- Periodic integrity verification: scheduled jobs re-hash objects, verify Merkle roots and signatures; watchdog reports to SIEM and case management.- Chain-of-custody: every transfer/action records actor, timestamp, justification, signed manifest delta. Provide exportable, verifiable chain for court.**Operational processes**- Evidence intake SOP: secure acquisition checklist, collector signing, metadata capture.- Change control: no direct object deletion; retention/legal-hold managed via governance workflow.- Incident/tamper response: automatic quarantine, forensic copy to air-gapped store, investigation with signed timeline.- Regular audits & legal readiness: yearly 3rd-party cryptographic and process audits; maintain reproducible verification scripts for court.This design provides cryptographic immutability, provable custody, least-privilege access, and SIEM-integrated detection suitable for forensic and legal use.
HardTechnical
89 practiced
Propose a set of SIEM detection rules and enrichment pipelines to identify cross-platform lateral movement and data staging in a large enterprise. Include example correlation logic (for instance: sequence of failed authentication, successful authentication from new device, large file transfers to staging host), required enrichments (user context, asset criticality), and strategies to reduce false positives.
Sample Answer
**Situation / Goal**I propose SIEM detection rules and enrichment pipelines to detect cross-platform lateral movement and data staging, tuned for forensic readiness and evidentiary quality.**Core enrichments (required)**- User context: AD/IdP attributes, role, last password change, MFA status.- Asset context: asset owner, OS, domain membership, business-criticality, trust zone, EDR presence.- Network context: VLAN, subnet owner, historical flow baselines.- UEBA: historical login locations/devices, typical data egress patterns, anomalous process behavior.**Correlation rule examples (sequence logic)**- Rule A: Brute/credential check
sql
WHEN count(event_type='auth_fail' AND target_user=U AND src_ip in timeframe=10m) >= 5
AND next event for U: event_type='auth_success' FROM new_device=true WITHIN 15m
THEN alert "Suspicious credential use -> new device"
- Rule B: Lateral movement chain - Trigger: Remote execution (WMI/SMB/PSExec/ssh) FROM host A TO host B - AND host B registers new admin process spawn (powershell/ssh with encoded commands) - Correlate with earlier Rule A for same user or src_ip- Rule C: Data staging
sql
WHEN user U copies total_bytes >= 500MB TO host tagged='staging' WITHIN 1h
AND host tagged='staging' not usually used by U
THEN alert "Large file transfer to staging host"
**Enrichment pipeline actions**- Resolve user to AD attributes and recent MFA events.- Resolve host to criticality and last AV/EDR heartbeat.- Geo-IP + device fingerprinting to detect new devices.- Attach previous 24–72h baseline metrics (typical transfer volume, login times).**False-positive reduction strategies**- Whitelist service accounts and scheduled backup flows; use allowlists per asset owner.- Require cross-signal validation (auth + process + network transfer) before high-severity escalation.- Use adaptive thresholds: scale "large transfer" by role and historical behavior.- Apply decay windows and scoring: each signal adds risk points; only alert at threshold.- Feedback loop: triage outcomes feed supervised model to reduce recurrence.**Forensic considerations**- Ensure full event preservation (raw logs, sequence numbers, timestamps) and collect volatile artifacts (process memory, network captures) when rule elevates to incident for chain-of-custody.
MediumTechnical
93 practiced
You are responding to a mid-sized enterprise incident where 12 endpoints, two application servers, three mobile devices, and a production database server show suspicious indicators. Create a triage plan that lists which systems you will prioritize, what minimal artifacts you will collect first from each system, and how you will coordinate with IT and business leadership to limit downtime while preserving key evidence.
Sample Answer
**Prioritization (order & why)** 1. Production database server — single point of business impact and highest evidentiary value. 2. Two application servers — can show attacker pivoting and impact to service. 3. 12 endpoints (grouped by role/criticality) — likely initial access or lateral movement. 4. Three mobile devices — lower immediate business impact but may contain credentials, MFA tokens.**Minimal artifacts to collect first (volatile -> non‑volatile)** - Production DB server / App servers: memory dump, running processes, network connections (netstat/lsof), open DB sessions, database logs (binlogs/transaction logs), system event logs, process list, snapshot of disk metadata (hashes of critical files). If possible take application-level safe DB snapshot (consistent read-only) before full disk image. - Endpoints: memory capture, running processes, network connections, Windows Event Logs/Sysmon, prefetch, browser history, local user accounts, LNK/MFT entries, scheduled tasks. - Mobile devices: full file system logical dump (or physical if permitted), call/SMS logs, installed apps list, authentication tokens, system logs. For all: record system time, collect volatile network captures (span/tap) and preserve chain of custody and cryptographic hashes.**Coordination with IT & Business Leadership** - Immediately brief leadership with scope, impact, and proposed containment options (isolate host vs. network segmentation) and recommended downtime risk. - Ask IT to take non‑destructive actions: isolate affected hosts at switch/VLAN, enable packet capture, suspend suspicious accounts, but avoid reboots or disk writes. - Offer low‑impact alternatives to full outages: application read‑only mode, DB snapshot + failover to standby, or temporary load balancing to healthy instances. - Agree change control and communications plan (status cadence, executive summary, customer impact messaging).**Preservation & Legal Considerations** - Use write‑blockers or remote memory acquisition tools; document timestamps, commands, personnel. - Maintain chain of custody, generate SHA256 hashes, and log all actions. Engage legal/compliance before collecting data from user devices or cloud providers.**Outcome & Next steps** - After minimal triage, escalate to full forensic imaging of prioritized hosts, pivot analysis (IOC hunting), and remediation plan coordinated with IT to restore services with validated clean images.
HardTechnical
86 practiced
You discovered that attackers moved from a compromised mobile device into corporate servers and exfiltrated data. You must provide expert testimony summarizing a multi-device investigation. Draft an outline of your testimony focusing on chronology, methods, evidence chain, and limitations, explain how you would communicate technical details to a jury, and prepare responses to common cross-examination attacks on methodology and chain-of-custody.
Sample Answer
**Opening summary (one-paragraph)** - Brief statement of role, scope, devices examined, timeframe, and high-level finding: lateral movement from a compromised mobile device to servers with confirmed exfiltration.**Chronology (timeline)** - Timeline bullets with dates/times, events (initial compromise, beaconing, pivot, credential reuse, data staging, exfil), and evidentiary artifacts tied to each step (logs, timestamps, network captures, device images).**Methods & tools** - List forensic methods (forensic imaging, volatile memory capture, timeline reconstruction, log correlation, malware analysis, network packet analysis) and tools used (specify versions). Describe validation and repeatability steps.**Chain-of-custody & evidence handling** - Per-device custody table: collector, time, hash of image, storage location, access controls, audit logs. Explain preservation (write-blockers, hashes) and verification.**Evidence linking & interpretation** - Map artifacts that connect devices (e.g., same C2 IPs, reused credentials, matching malware hashes, shared timestamps). Distinguish direct vs. contextual links and confidence levels.**Limitations & alternative explanations** - Address clock skew, deleted/overwritten logs, attribution uncertainty, possible benign explanations; explain how mitigations reduce uncertainty.**Communicating to a jury** - Use plain analogies (digital fingerprints, copies vs. originals), visual timelines, simplified diagrams, avoid jargon, state certainty (evidence vs. opinion), invite questions.**Anticipated cross-examination points & responses** - Methodology attacked: explain industry-standard, tool validation, repeatable steps, peer-reviewed procedures. - Chain-of-custody challenged: present hashes, signed logs, access audit, explain reconciliation if gaps exist. - Attribution challenged: acknowledge limits, present multiple corroborating indicators, explain probability language. - Contamination/reconstruction claims: show original images, verification hashes, and test-retest results.**Conclusion** - Restate core finding, confidence level, and open availability of data, tools, and methods for independent verification.
Unlock Full Question Bank
Get access to hundreds of Multi Device and Cross Platform Investigation interview questions and detailed answers.