Skip to content

A compromised laptop is on your desk, still powered on, with a suspicious process running. To preserve evidence, what do you do?

Short answer

Follow the order of volatility. RAM, live network connections and the process table vanish on shutdown, so capture them first, then take a forensic disk image while documenting hashes and an unbroken chain of custody. A clean shutdown destroys memory-resident evidence — including fileless malware and keys that live only in RAM. Copy-then-delete tampers with the scene and breaks integrity. Running the company antivirus mutates the system and may quarantine or delete the very artifact you need to analyze.

A live, compromised host is a decaying crime scene. The most valuable evidence is the most fragile, and the wrong reflex — shut it down to "freeze" it — actually erases that evidence. This question tests whether you know the order of volatility (codified in RFC 3227) and can apply it under pressure.

Why volatile-first is the answer

The data that disappears fastest must be collected first:

  • RAM — running processes, injected/fileless malware, decryption keys, clipboard, and credentials that exist only in memory.
  • Live network connections — active C2 sockets, listening ports, the ARP cache.
  • Process list and loaded modules — what's actually executing right now.

You capture these first, then take a forensic disk image. Throughout, you record cryptographic hashes (to prove the image wasn't altered) and maintain an unbroken chain of custody — who handled the evidence, when, and why — so it stays admissible.

Why the other options destroy evidence

  • Clean shutdown — feels safe, but it flushes RAM, kills live connections, and may trigger anti-forensic or wiping routines on the next boot. The memory-resident evidence — often the heart of a modern intrusion — is gone forever.
  • Copy file to USB and delete it — you tamper with the scene, destroy filesystem timestamps and slack, break chain of custody, and may not even grab the real malicious component (it could be memory-only or have other staged files).
  • Run the antivirus — AV mutates the system: it scans, writes logs, and quarantines or deletes the suspicious process — destroying the exact artifact you came to analyze and contaminating the evidence.

What the interviewer is probing

They want a responder who treats evidence handling as methodical and defensible: collect most-volatile-first, work on forensic copies, hash everything, and document chain of custody. Naming the memory-resident artifacts that a shutdown would lose — and refusing to let AV mutate the box — signals you can preserve evidence that holds up in an investigation or in court.

Likely follow-ups

  • What artifacts live only in memory and would be lost forever on shutdown?
  • How do you preserve and prove integrity when imaging a disk on a live system?
  • Walk me through documenting chain of custody for the memory capture and the disk image.

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.