Practice incident forensics vocabulary: evidence preservation, chain of custody, memory dumps, disk images, and timeline reconstruction.
0 / 5 completed
1 / 5
Your incident response plan says 'The forensic investigation preserves evidence.' Why is preservation the first priority?
Digital forensics follows a strict 'preserve first' principle. Running antivirus, rebooting, or modifying files can destroy volatile memory, overwrite logs, or change file timestamps — destroying the evidence needed to understand what happened and how.
2 / 5
A forensics report mentions 'chain of custody for digital evidence.' What does maintaining chain of custody require?
Chain of custody is a documented record showing who collected evidence, when, how it was stored, and who accessed it. Breaks in chain of custody can make evidence inadmissible in legal proceedings and raise questions about whether evidence was tampered with.
3 / 5
An IR analyst says 'The memory dump was captured before the system was rebooted.' Why is this critical?
RAM contains volatile artifacts that are lost on reboot: running malware processes (possibly not on disk), active network connections, decryption keys, and recently run commands. Memory forensics captures these before they are destroyed, often revealing key evidence of attacker activity.
4 / 5
Your forensics procedure requires 'a disk image for offline analysis.' What is a disk image?
A forensic disk image is a sector-by-sector copy of the entire storage device. Analysts work from the image, not the original, to preserve evidence integrity. The image captures deleted files (not yet overwritten), slack space, and filesystem metadata that backups miss.
5 / 5
A forensics team says 'The timeline reconstruction shows attacker movement.' What does timeline reconstruction involve?
Timeline reconstruction combines multiple artifact sources — Windows Event Logs, filesystem timestamps, network logs, browser history, and memory artifacts — to create a chronological record of what the attacker did, when they did it, and how they moved through the environment.