Incident Response and Digital Forensics

What the Exam Is Really Testing

A company discovers ransomware on a critical server. In a panic, an admin reboots the machine, wiping volatile memory that contained the encryption keys and the attacker's process artifacts. The forensic team arrives to find the evidence they needed most is gone. That is exactly the kind of mistake the exam builds questions around.

How you respond to an incident determines whether evidence is preserved, damage is contained, and the organization recovers — or whether chaos compounds the original attack.

You need to know the IR phases in order, understand when to contain versus when to investigate, and recognize how to handle digital evidence without destroying its legal value. The order matters, and the exam will test it repeatedly.

The Incident Response Process

The standard IR process follows a defined sequence. The exam tests both the phases and their order.

1. Preparation

Preparation happens before any incident occurs. It includes:

• Developing and testing the IR plan
• Forming the IR team with defined roles and responsibilities
• Establishing communication plans and escalation procedures
• Deploying monitoring and detection tools
• Conducting tabletop exercises and simulations
• Creating forensic toolkits and jump bags
• Establishing relationships with law enforcement and legal counsel

Preparation is the most important phase. Organizations that skip it respond to incidents with chaos instead of process.

2. Detection and Analysis

Identifying that an incident has occurred and understanding its scope:

• SIEM alerts, IDS/IPS notifications, user reports
• Determining whether the event is a true incident or false positive
• Classifying the incident type and severity
• Identifying affected systems and data
• Beginning documentation of the timeline

3. Containment

Stopping the incident from spreading while preserving evidence. Containment has two phases:

• Short-term containment — Immediate actions to limit damage (isolating affected systems, blocking malicious IPs, disabling compromised accounts)
• Long-term containment — Temporary fixes that allow business operations to continue while a permanent solution is developed (patching, re-imaging, rebuilding from clean backups)

Critical: evidence must be preserved during containment. Do not reboot, wipe, or rebuild systems before forensic imaging.

4. Eradication

Removing the root cause of the incident from the environment:

• Removing malware and backdoors
• Patching exploited vulnerabilities
• Resetting compromised credentials
• Rebuilding compromised systems from clean media
• Verifying that all instances of the threat are removed

5. Recovery

Returning affected systems to normal operations:

• Restoring from verified clean backups
• Reintroducing systems to the network in a controlled manner
• Monitoring recovered systems closely for signs of reinfection
• Validating that business processes function correctly
• Gradually lifting containment measures

6. Lessons Learned (Post-Incident Activity)

Analyzing the incident to improve future response:

• Conducting a formal post-incident review (within two weeks while memories are fresh)
• Documenting what happened, what went well, and what needs improvement
• Updating the IR plan based on findings
• Identifying detection gaps that allowed the incident
• Implementing preventive measures to avoid recurrence

IR Team Roles

• Incident commander — Leads the response, makes decisions, coordinates resources
• Security analysts — Investigate the incident, analyze evidence, identify indicators of compromise
• IT operations — Execute containment, eradication, and recovery actions on systems
• Legal counsel — Advises on regulatory obligations, evidence preservation, and law enforcement engagement
• Communications — Manages internal and external messaging, including customer notification if required
• Management — Approves response actions, authorizes resources, makes business decisions

Communication Plans

• Internal communication — Informing leadership, affected teams, and employees. Use secure channels (the attacker may be monitoring email).
• External communication — Notifying customers, partners, regulators, and media. Must be carefully coordinated with legal.
• Legal notification — Many regulations (GDPR, HIPAA, state breach laws) require notification within specific timeframes.
• Law enforcement — Engaging when criminal activity is suspected. Decision should involve legal counsel and management.

Digital Forensics

Chain of Custody

The chain of custody is a documented record of everyone who handled evidence, when they handled it, and what they did with it. It answers: who touched this evidence, and can we prove it was not altered?

• Must be maintained from the moment evidence is collected until it is presented in court
• Any gap or break in the chain can render evidence inadmissible
• Includes timestamps, handler names, purpose, and storage conditions
• Physical evidence must be stored in a locked, access-controlled environment

Order of Volatility

Forensic evidence must be collected in order from most volatile to least volatile. Data that disappears first must be captured first:

1. CPU registers and cache — Lost immediately when the system is powered off
2. RAM (system memory) — Contains running processes, encryption keys, network connections. Lost on reboot.
3. Swap/page files — Virtual memory on disk. Overwritten during normal operation.
4. Hard drive data — Persistent but can be overwritten by continued system use.
5. Remote logging and monitoring data — Stored on other systems but may be rotated or overwritten.
6. Physical configuration — Network topology, device placement. Relatively stable.
7. Archival media — Backup tapes, offsite storage. Most persistent.

For the exam: always collect volatile evidence first. Capturing RAM before imaging the disk is the correct order.

Evidence Collection

• Forensic imaging — Creating a bit-for-bit copy of a drive. The image is analyzed; the original is preserved untouched.
• Write blockers — Hardware or software devices that prevent any writes to the original evidence media during imaging. Essential for preserving evidence integrity.
• Hashing for integrity — MD5 or SHA-256 hashes are calculated for the original evidence and the forensic image. If the hashes match, the copy is an exact duplicate and has not been modified.

Legal Hold and e-Discovery

• Legal hold — A directive to preserve all potentially relevant data when litigation is anticipated. Overrides normal data retention and deletion policies. Failure to comply can result in court sanctions.
• e-Discovery — The process of identifying, collecting, and producing electronically stored information (ESI) for legal proceedings. Security teams may be called to assist with data collection and preservation.

Pattern Recognition

When you see IR and forensics questions, look for these patterns:

• "What should you do FIRST after detecting an incident?" = Containment (after confirming it is real)
• "What should you do BEFORE rebuilding a compromised system?" = Forensic imaging
• "What is the FIRST evidence to collect?" = Most volatile (RAM, then disk)
• "How do you prove evidence was not altered?" = Hash comparison
• "What prevents evidence from being modified during collection?" = Write blocker
• "What phase prevents future incidents?" = Lessons learned

Trap Patterns

Watch for these distractors:

• "Immediately wipe and rebuild all affected systems" — This destroys evidence. Forensic imaging must happen before eradication.
• "Notify the media immediately" — External communication must be coordinated with legal. Premature disclosure can cause legal liability.
• "Skip to recovery to minimize downtime" — Skipping eradication means the attacker's tools remain. The incident will recur.
• "Preparation is optional if you have good detection tools" — Preparation is the foundation. Without it, every other phase is less effective.

Scenario Practice

Question 1

A security analyst discovers that a server has been compromised by ransomware. The server contains evidence of how the attacker gained access.

What should the analyst do BEFORE rebuilding the server?

A. Immediately restore from the most recent backup
B. Create a forensic image of the server's drives and capture RAM
C. Disconnect the server and notify all employees
D. Update the antivirus signatures and run a full scan

Question 2

During a forensic investigation, an analyst needs to collect evidence from a running server. Memory, swap files, and hard drive data are all relevant.

In what order should evidence be collected?

A. Hard drive first, then swap files, then memory
B. Swap files first, then memory, then hard drive
C. Memory first, then swap files, then hard drive
D. Hard drive first, then memory, then swap files

Question 3

After successfully containing and eradicating a security incident, the CISO asks the team to skip the lessons learned phase to save time and return to normal operations faster.

Why is this a problem?

A. It violates compliance requirements in all industries
B. It prevents the organization from improving its response and addressing the root cause
C. It invalidates the chain of custody for collected evidence
D. It causes the SIEM to stop correlating related events

Key Takeaway

Here is what separates a passing answer from a wrong one on IR questions:

Incident response is a discipline, not an improvisation. Follow the process in order, preserve evidence before you fix anything, and always close the loop with lessons learned.

Every IR question hinges on where you are in the process. Figure out the phase first, then pick the action that fits. Never destroy evidence by acting too fast — image the drive before you rebuild. Collect volatile data (RAM) before stable data (disk). And if the question asks about proving evidence integrity, the answer involves hash values and chain of custody.