Incident Response Forensics and Crisis Management Questions
Covers the full spectrum of preparing for, detecting, investigating, containing, and recovering from security and operational incidents, plus managing their business and regulatory impact. Candidates should understand the incident response lifecycle including detection and monitoring, triage and prioritization, containment, eradication, recovery, and post incident review. This includes forensic evidence preservation and analysis practices such as secure collection of logs and artifacts, tamper proofing, chain of custody, immutable storage, timeline building, memory and disk examination fundamentals, and legal and regulatory considerations for evidence. It also covers designing infrastructure and tooling to enable rapid response at scale: logging and telemetry architecture, data retention policies, secure evidence storage, automated collection and alerting, integration with runbooks and response workflows, and readiness of teams and playbooks. Finally, it addresses crisis and stakeholder management skills: incident command and coordination across engineering, security, product, legal, customer support and executive stakeholders, internal and external communications and status updates, customer and regulator notification procedures, postmortem and lessons learned processes, tabletop exercises and drills, and leadership and decision making under pressure.
HardTechnical
98 practiced
You have EDR alerts showing suspicious child processes, DNS logs with high NXDOMAIN rates, and proxy logs showing connections to rare external IPs. Design an artifact correlation strategy to identify likely C2 infrastructure and build a timeline: include the query logic you would use, enrichment steps (passive DNS, WHOIS, reputation), scoring or confidence model, and criteria for escalating to containment.
MediumTechnical
69 practiced
Describe a step-by-step approach to recover deleted files from an ext4 filesystem on a Linux server suspected of being compromised. Include relevant tools (e.g., debugfs, extundelete, photorec), filesystem behaviors affecting recovery (journaling, inode reuse, extents), and the trade-offs between doing a quick recovery versus exhaustive carving.
EasyBehavioral
71 practiced
Tell me about a time when you had to prepare and present digital forensic findings to non-technical stakeholders (e.g., executives, legal council, or jurors). Use the STAR method: describe the situation, task, actions you took to prepare exhibits and the report, how you ensured chain of custody and clarity for non-technical audiences, and the outcome.
MediumTechnical
59 practiced
During a cloud incident you need to preserve ephemeral metadata quickly. Describe automation and manual steps to capture instance metadata (instance IDs, AMI/container digests), ephemeral storage snapshots, VPC flow metadata, security group configs, and any short-lived credentials. Include APIs to use, permissions required, snapshot timing considerations, and how to store metadata immutably.
MediumTechnical
62 practiced
Write a Python 3 script that accepts a directory path, computes SHA-256 hashes for all files with extensions .img or .dd in that directory (recursing into subdirectories), optionally reads a checksums file to verify expected hashes, and outputs a JSON report with filename, computed_hash, expected_hash (if provided), verification_status (match/mismatch/no-expected). The script should stream files in chunks to handle very large images and include basic exception handling.
Unlock Full Question Bank
Get access to hundreds of Incident Response Forensics and Crisis Management interview questions and detailed answers.
