If you had to preserve evidence from a potentially compromised machine, what would you collect and in what order, and why?
technical-conceptual · Junior level · cloud-devops-security
What the interviewer is really asking
Test whether the candidate understands the order of volatility (collect the most ephemeral data first) and basic evidence integrity — hashing, documentation, chain of custody — rather than reflexively rebooting or imaging in the wrong order, a forensics-specific concept distinct from the IR lifecycle.
What to say
- Lead with the order of volatility: collect the most ephemeral data first because it disappears when the machine is touched or powered off — CPU registers and cache, then RAM (running processes, network connections, decrypted secrets in memory), then disk and logs, which persist.
- Explain the cardinal rule: don't power off or reboot a live machine you intend to investigate — that destroys volatile memory; capture a memory image while it's running, and prefer isolating it from the network over shutting it down.
- Cover integrity and documentation: hash each artifact (e.g. SHA-256) when you collect it so you can later prove it wasn't altered, work on copies not originals, and keep a chain-of-custody record of who collected what, when, and how — 'if you didn't write it down, it didn't happen'.
What to avoid
- Rebooting or shutting the machine down first 'to make a clean copy' — that wipes RAM, the most volatile and often most valuable evidence.
- Investigating directly on the original disk instead of a verified image, which alters timestamps and risks destroying the evidence you're trying to preserve.
- Skipping hashing and a written record, leaving you unable to prove the evidence is intact and untampered later.
Example answers
Strong: I'd follow order of volatility: first capture RAM and the live state — running processes, open network connections, logged-in sessions — because all of that vanishes the instant the box is rebooted. Then take a disk image. I'd hash each capture with SHA-256 on collection, only ever analyse the copies, and log every step with a timestamp so we can show the evidence wasn't tampered with.
Weak: I'd shut it down to freeze its state, then copy the hard drive so nothing changes while I look at it.