CompTIA Security+incident-response-and-digital-forensics

Incident Response, Logging, and Digital Forensics

The IR lifecycle, the evidence you collect, and how forensics preserves it.

Incidents are not a question of if but when, so Security+ rewards candidates who know the response process cold and can preserve evidence without corrupting it. This lesson walks the incident response (IR) lifecycle, the logging that feeds it, and the forensic discipline that keeps evidence admissible.

Core Idea

  • Incident response follows a repeatable lifecycle so teams react by plan, not panic: prepare, detect, analyze, contain, eradicate, recover, and learn.
  • Logging and monitoring are the detection engine — a SIEM aggregates and correlates log sources so analysts can spot and alert on incidents early.
  • Digital forensics preserves evidence integrity through order of volatility, chain of custody, and hashing so findings hold up in court.

The Incident Response Lifecycle

The exam uses the phase model drawn from NIST guidance. Know the order and what each phase does:

  1. Preparation – build the IR plan, tooling, training, and communication channels before an incident.
  2. Detection / Identification – recognize that an event is actually an incident, usually via SIEM alerts, IDS, or user reports.
  3. Analysis – confirm scope, severity, and impact; classify the incident.
  4. Containment – stop the incident from spreading (isolate hosts, segment the network).
  5. Eradication – remove the threat itself (delete malware, disable breached accounts, patch the exploited flaw).
  6. Recovery – restore systems to normal operation and validate they are clean.
  7. Lessons Learned – hold a post-incident review to improve controls and update the plan.

IR Plans, Playbooks, and Exercises

  • IR plan – the overarching document defining roles, escalation paths, and communication.
  • Playbooks / runbooks – step-by-step procedures for specific incident types (ransomware, phishing, data breach). A runbook is the granular checklist a responder follows.
  • Tabletop exercises – discussion-based walkthroughs where the team talks through a scenario; low cost, no live systems.
  • Simulations – hands-on drills that actually exercise tools and responses, closer to a real event than a tabletop.

Logging, Monitoring, and the SIEM

Detection depends on visibility. A SIEM (Security Information and Event Management) system centralizes logs, performs correlation across sources to link related events, and generates alerting for analysts.

  • Log sources to know: firewall, IDS/IPS, endpoint (EDR), OS/security logs, application logs, DNS, authentication, and network flow data.
  • SOAR platforms add automation and orchestration to speed response.
  • Accurate, synchronized time (NTP) matters so events across sources can be correlated into a coherent timeline.

Digital Forensics and Evidence Handling

Forensics is about collecting and preserving evidence so it remains admissible and defensible.

  • Order of volatility – collect the most fleeting evidence first: CPU registers/cache, then RAM and running processes, then network state, then disk, then archives/backups.
  • Chain of custody – documentation of every person who handled evidence and when; a break in the chain can make evidence inadmissible.
  • Acquisition – create a bit-for-bit image of the drive and work only from copies; a write blocker prevents altering the original.
  • Hashing – compute a hash (e.g., SHA-256) of the image at acquisition and re-verify later; matching hashes prove the evidence was not altered (integrity).
  • Legal hold and e-discovery – a legal hold preserves data relevant to litigation; e-discovery is the process of identifying and producing that electronic data.

Root Cause Analysis and Threat Hunting

  • Root cause analysis (RCA) happens after containment to determine why the incident occurred so the underlying weakness is fixed, not just the symptom.
  • Threat hunting is proactive — analysts search for adversaries who evaded automated detection, often guided by threat intelligence and hypotheses rather than waiting for an alert.

High-Yield Exam Patterns

  • Containment vs. eradication: containment stops spread (isolate the host); eradication removes the threat (delete the malware, patch the hole). This distinction is tested constantly.
  • If a question asks what happens first when an incident is confirmed, containment comes before eradication and recovery.
  • Order of volatility questions: RAM/memory is collected before disk because it disappears on power-off.
  • If evidence must hold up in court, the answer involves chain of custody and hashing for integrity.
  • Tabletop = discussion; simulation = hands-on. Preparation is the phase that includes writing plans and running exercises.
  • Lessons learned is the last phase and feeds back into preparation.

Common Traps to Avoid

  • Confusing containment with eradication — stopping spread is not the same as removing the threat.
  • Collecting disk images before capturing volatile memory, violating order of volatility.
  • Powering off or working on the original evidence drive instead of a hashed forensic copy.
  • Thinking threat hunting is reactive; it is a proactive search that assumes a breach may already exist.
  • Treating a tabletop exercise as a live technical drill — it is discussion-based.

Flashcards

Card 1 of 14

1/14

Keyboard: Space/Enter to flip • Arrow keys to navigate

Ready to Test Your Knowledge?

This quiz has 8 questions and each one has 4 options.

Quiz Details

8 Questions

Multiple choice with instant self-check

Final Review

See correct answers and explanations at the end

Build your own lesson in minutes.

Upload a source document and turn it into flashcards, quizzes, and a study-ready lesson bank.