InterviewStack.io LogoInterviewStack.io

Network Forensics and Log Analysis Questions

In depth understanding of network forensic investigation and log analysis. Topics include packet capture and inspection, analysis of network flows, protocol analysis, identifying communication patterns and anomalies, detection of data exfiltration and lateral movement from traffic, parsing and correlating logs from routers, switches, firewalls, intrusion detection systems, and servers, timeline reconstruction using network artifacts, use of common tools for packet and log analysis, and techniques for correlating network evidence with host and application data to establish attacker behavior and sequence of events.

HardTechnical
65 practiced
A critical router rotates logs daily but an archiving process failed intermittently, leaving gaps of several hours on some days. You are asked to explain the impact on an ongoing investigation and develop a mitigation and evidence reconstruction plan suitable for legal review. Include immediate actions and longer-term controls.
HardSystem Design
62 practiced
Design a triage scoring model for a SOC that receives millions of IDS alerts daily. Specify which features you would include (for example asset criticality, anomaly score, threat-intel hits, historical context), how you would weight them, how to evaluate and tune the model using analyst feedback, and how to integrate it into an investigation workflow.
MediumTechnical
72 practiced
You have firewall logs from two branch offices and authentication server logs showing multiple failed logins for a privileged account. Describe how you would correlate these logs to investigate possible lateral movement via RDP, including key correlation fields, handling of NATed IPs, and steps to build a timeline that links network activity to user authentication events.
MediumTechnical
52 practiced
Explain how Zeek (formerly Bro) aids network forensic investigations. List the most useful Zeek logs for incident work (for example conn.log, dns.log, http.log, files.log) and outline a simple custom Zeek script idea to flag potential DNS tunneling activity.
EasyTechnical
56 practiced
Explain the goals of network forensics in an incident response context. In your answer, contrast full-packet capture (PCAP) with flow-based telemetry (NetFlow/IPFIX) in terms of data granularity, storage requirements, common use cases, retention trade-offs, and key limitations an examiner should consider.

Unlock Full Question Bank

Get access to hundreds of Network Forensics and Log Analysis interview questions and detailed answers.

Sign in to Continue

Join thousands of developers preparing for their dream job.