Walk me through the digital forensics and incident response process.
Short answer
DFIR follows a disciplined process: identification (confirm and scope the incident), acquisition (preserve evidence following order of volatility, with forensic images and hashes), analysis (timeline, root cause, scope of compromise), and reporting (findings for technical and legal audiences). Chain of custody documents who handled each artifact and when, so the evidence holds up if it ever reaches court. Preserve before you remediate.
DFIR is where investigation discipline meets time pressure. Interviewers ask about the process to see whether you can move fast without destroying the very evidence you'll need to understand the attack — and possibly defend in court.
The process
- Identification. Confirm an incident is real (triage out false positives), then scope it: which systems, accounts, and data are affected? You cannot acquire or contain what you haven't scoped.
- Acquisition. Preserve evidence in a forensically sound way. Follow the order of volatility — capture the most ephemeral data first: CPU registers and cache, then RAM and running processes, then network state, then disk, then archival media. Take forensic images, compute cryptographic hashes at collection, and work from copies, never the original.
- Analysis. Reconstruct what happened: build a timeline, find the root cause and initial access, identify attacker TTPs and IOCs, and determine the full scope of compromise — what was accessed or exfiltrated. This drives both eradication and breach-notification decisions.
- Reporting. Produce findings for two audiences: a technical narrative for responders and a clear, factual account for management, legal, and potentially regulators.
Chain of custody
Every piece of evidence needs a documented chain of custody — who collected it, when, how it was stored, and everyone who touched it. The matching hash proves the image was not altered. Break the chain and the evidence may be inadmissible.
The core tension
Incident response wants to contain fast; forensics wants to preserve first. Pulling a plug can lose volatile memory holding the only copy of in-memory malware or keys. A skilled responder sequences actions to capture volatile evidence before disruptive containment, balancing both goals.
What interviewers look for
They want order-of-volatility-driven acquisition, hashing and chain of custody for defensibility, "preserve before remediate," and awareness of the containment-versus-preservation tension under real-world time pressure.
Likely follow-ups
- What is the order of volatility and why does it dictate acquisition order?
- Why do you hash evidence images, and what does that prove?
- How does the IR containment goal sometimes conflict with forensic preservation?