Skip to content

You must reconstruct what an attacker did across three days. What's the right approach?

Short answer

Reliable incident reconstruction comes from correlating independent telemetry into one timeline: auth logs, EDR process/exec data, filesystem MAC timestamps, network flows and SIEM events, so you can order actions and bound the scope. A single log or the latest event alone misses the chain and can be misleading or tampered with. Guessing from one source or asking the attacker are not investigative methods. Correlation across independent sources is what reveals the full attacker activity and survives an attacker who edited one of them.

Reconstructing a multi-day intrusion is fundamentally a correlation problem. No single data source tells the whole story: authentication logs show who logged in where, EDR shows what executed, filesystem MAC (modify/access/change) times show what files were touched, network flows show where data went, and the SIEM ties alerts together. Each is a partial view. The truth emerges when you merge them into one ordered timeline.

Why a correlated timeline wins

  • It establishes sequence. You can see initial access, then execution, then lateral movement, then exfiltration — in order — which is what scoping and root-cause depend on.
  • It bounds the scope. Correlation across hosts and accounts shows how far the attacker reached, not just where you happened to look first.
  • It resists tampering. If an attacker cleared one log, the other independent sources still record the activity. Anchoring on telemetry the attacker couldn't easily edit (centralized logs, EDR, network) is how you trust your reconstruction.

Why the distractors fail

  • "Guess from a single log file" ignores everything that log doesn't capture and is exactly what an attacker hopes you'll do — especially if that log is the one they tampered with.
  • "Ask the attacker" is not an investigative method; attackers lie, and you usually can't ask anyway.
  • "Only the most recent event" misses the entire chain that led there. The last event is the tip; the timeline is the iceberg.

What the interviewer is probing

Whether you think like a forensic investigator — assembling independent sources into a defensible timeline, accounting for clock skew and tampering — rather than reacting to whatever single artifact is in front of you. At senior level they expect you to name the sources and explain why correlation, not just that you'd correlate.

Likely follow-ups

  • How do you handle clock skew across sources when merging them into one timeline?
  • Which sources are hardest for an attacker to tamper with, and why do you anchor on those?
  • How do file MAC times help, and where do they mislead (e.g., timestomping)?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.