Covers investigative approaches for complex or information constrained situations, such as incident response and forensic analysis. Topics include handling encrypted or partially corrupted data, dealing with fragmented or deleted artifacts, reconciling conflicting timelines, analyzing incomplete logs, performing multi location investigations, prioritizing limited leads, documenting assumptions, preserving chain of custody where relevant, and making defensible decisions under uncertainty. Candidates should demonstrate methodical evidence collection, hypothesis driven analysis, risk management, and clear explanation of trade offs and next steps.
MediumTechnical
27 practiced
A file on Host A has an NTFS MFT timestamp of 2022-03-10 03:15:00, but the web server log that references that file shows 2022-03-10 02:45:00. Describe how you would determine the correct timing, identify causes for the discrepancy (for example, timezones, NTP drift, daylight savings, manual clock changes), and reconcile the events so you can present an accurate timeline with documented confidence levels.
HardSystem Design
25 practiced
Design a forensic readiness program for a global enterprise. Define logging and retention policies, endpoint and network configurations to ensure useful artifact availability, secure centralized log collection and immutable storage, chain-of-custody automation, roles and responsibilities, privacy considerations, and a phased rollout plan. Include measurable KPIs to track readiness and cost-control considerations.
HardTechnical
28 practiced
You are investigating a multi-stage breach: a phishing email led to credential theft on a user workstation, credentials used for privileged access on servers, lateral movement to DB servers, staging of files to cloud storage, and intermittent log deletions across victims. Describe a hypothesis-driven investigative plan to validate each stage, reconstruct a unified timeline across host, network, and cloud artifacts, identify gaps in visibility, and list immediate containment and remediation recommendations. Specify which artifacts you would collect and how to corroborate stages with limited logs.
EasyTechnical
31 practiced
You arrive at an incident where a Windows workstation is powered on and connected to the corporate network. Describe, step-by-step, how you would perform forensic acquisition of attached disk(s) while preserving evidence integrity. Include decisions and procedures for live acquisition versus powering down and offline imaging, tools you would use (e.g., FTK Imager, dd, live-collector tools), the role of write-blockers, network isolation, and how you'd document and verify the image.
HardTechnical
26 practiced
Create a defensible decision framework to guide choices when balancing forensic evidence integrity against operational pressure to restore systems. Define criteria (evidence volatility, asset criticality, regulatory/legal obligations, recovery timeliness), scoring or thresholds for escalation, roles/responsibilities, required documentation and sign-offs, and example actions at low/medium/high risk levels. Explain how you would operationalize this framework in a SOC/IR process.
Unlock Full Question Bank
Get access to hundreds of Investigative Problem Solving interview questions and detailed answers.
