If you had to preserve evidence from a potentially compromised machine, what would you collect and in what order, and why?

technical-conceptual · Junior level · cloud-devops-security

What the interviewer is really asking

Test whether the candidate understands the order of volatility (collect the most ephemeral data first) and basic evidence integrity — hashing, documentation, chain of custody — rather than reflexively rebooting or imaging in the wrong order, a forensics-specific concept distinct from the IR lifecycle.

What to say

What to avoid

Example answers

Strong: I'd follow order of volatility: first capture RAM and the live state — running processes, open network connections, logged-in sessions — because all of that vanishes the instant the box is rebooted. Then take a disk image. I'd hash each capture with SHA-256 on collection, only ever analyse the copies, and log every step with a timestamp so we can show the evidence wasn't tampered with.

Weak: I'd shut it down to freeze its state, then copy the hard drive so nothing changes while I look at it.

Want questions matched to your role? Paste a job title, job description, or CV and get a personalized set, or go Pro to unlock the full bank.