Unlock hundreds more features
Save your Quiz to the Dashboard
View and Export Results
Use AI to Create Quizzes and Analyse Results

OR
Sign inSign in with Facebook
Sign inSign in with Google
Quizzes > Computers & IT

Digital Forensics Incident Response Quiz

Quick, free network incident response quiz: 15 fast MCQs. Instant results.

Editorial: Review CompletedCreated By: Yudi WaraUpdated Aug 27, 2025
Difficulty: Moderate
Questions: 20
Learning OutcomesStudy Material
Colorful paper art depicting elements of cybersecurity, network forensics, and quiz symbols.

This digital forensics incident response quiz helps you spot threats, trace network clues, and choose the right action fast. Work through 15 MCQs to practice triage and confirm what you know. Need a refresher first? Try the cybersecurity basics quiz, build host skills with the digital forensics quiz, and firm up your edge with the network-based firewall quiz.

What is the primary purpose of analyzing system logs during a cybersecurity incident?
To plan hardware upgrades
To assess user satisfaction
To optimize system performance
To determine the sequence of events and pinpoint malicious activity
Analyzing system logs allows responders to reconstruct what happened and when, helping identify intrusion points. It is not intended for performance tuning or unrelated tasks.
Which Windows Event Log records user authentication events?
Application
Security
System
Setup
The Security log captures audit events including user logins and authentication attempts. The System and Application logs record different types of events.
What is the first phase of the NIST incident response framework?
Preparation
Post-Incident Activity
Detection and Analysis
Containment, Eradication, and Recovery
Preparation is the initial phase where policies, tools, and training are established. It ensures readiness before any incident occurs.
In network forensics, what is a pcap file used for?
Logging system events
Storing captured network packets
Managing firewall rules
Encrypting network traffic
A pcap (packet capture) file contains raw packet data observed on a network interface. It is essential for traffic analysis and reconstruction.
What document ensures the integrity of forensic evidence transfers?
Chain-of-custody form
Risk assessment report
Change management log
Incident response plan
The chain-of-custody form documents each individual who handled the evidence, when, and why, preserving its integrity. Other documents serve different purposes.
In a firewall log, which field typically indicates the destination port?
action
timestamp
srcip (source IP)
dpt (destination port)
The destination port field (often labeled dpt) shows which service endpoint is being contacted. Identifying the destination port helps determine what was targeted.
During the Containment phase of incident response, what action is most appropriate?
Encrypting all network traffic
Conducting user training sessions
Isolating affected systems from the network
Installing new software updates organization-wide
Containment focuses on limiting the spread of the threat by isolating compromised systems. Training and broad updates are separate phases.
Which Linux log file contains records of user login attempts?
/var/log/syslog
/var/log/auth.log
/var/log/boot.log
/var/log/messages
On Debian-based systems, /var/log/auth.log records authentication events and login attempts. Syslog and messages contain broader system messages.
What does the term "IOC" stand for in forensic investigations?
Indicator of Compromise
Integration of Credentials
Inspection of Confidentiality
Internet of Components
An Indicator of Compromise (IOC) is a piece of evidence - like a malicious IP or file hash - that signals a breach. The other options are incorrect expansions.
Which hashing algorithm is recommended for verifying evidence integrity?
MD5
CRC32
SHA-256
DES
SHA-256 is widely accepted for its collision resistance in forensics. MD5 and CRC32 are less secure, and DES is an encryption algorithm.
Why is creating a bit-for-bit disk image before analysis critical?
It automatically alerts on intrusions
It speeds up system performance
It compresses files for easy sharing
It preserves the original evidence for repeatable forensic examination without altering it
A bit-for-bit image ensures the original media remains unchanged, allowing analysts to verify findings against a pristine copy. Performance and alerts are unrelated.
What key information is recorded on a chain-of-custody form?
User account passwords
Daily system performance metrics
Names of handlers and timestamps of evidence transfers
Network topology diagrams
Chain-of-custody forms track who handled evidence, when, and under what circumstances. Topologies and metrics are documented elsewhere.
Which tool is commonly used for packet capture and analysis in network forensics?
Nmap
Wireshark
John the Ripper
Netcat
Wireshark is the industry-standard tool for capturing and analyzing packet data. Nmap and Netcat serve different network utility roles.
During the Eradication phase, what is the primary focus?
Identifying new threat actors
Removing malware and patching exploited vulnerabilities
Documenting financial losses
Hiring new security staff
Eradication deals with eliminating the root cause of the incident and securing systems. Financial documentation and staffing are separate activities.
What type of network artifact is a NetFlow record?
A memory dump of volatile RAM
A list of installed software
A summary of network traffic flows between hosts
A detailed system process list
NetFlow records summarize metadata about traffic flows (source, destination, volume). It is not a memory or process artifact.
Given a login log showing failed attempts from 02:15:10 to 02:18:47 and a successful login at 02:20:03, at what time did the attacker likely gain access?
02:17:22
02:15:10
02:20:03
02:18:47
The successful login entry at 02:20:03 indicates when credentials were accepted and access was gained. Earlier failures show attempts only.
You receive forensic evidence without timestamps on the chain-of-custody form. What issue does this create?
Increased file system fragmentation
A break in the chain-of-custody that could make the evidence inadmissible
Improved network performance
Automatic encryption of the evidence
Missing timestamps prevent tracking who had custody and when, undermining evidence integrity. The other options are unrelated to chain-of-custody.
What is the best practice for preserving volatile network data during an incident response?
Reboot the system into safe mode before collecting logs
Capture memory and network traffic data before shutting down the affected system
Immediately power off the system to prevent data loss
Only collect disk images and ignore RAM content
Volatile data such as RAM and active connections are lost on shutdown, so capturing it first preserves critical evidence. Powering off or ignoring RAM risks data loss.
In a packet capture, you observe an unusually high rate of TCP SYN packets with no corresponding ACKs. What does this likely indicate?
A SYN flood denial-of-service attack
An ARP cache poisoning attempt
DNS cache poisoning
Normal TCP session establishment
A flood of SYN packets without ACKs is characteristic of a SYN flood DoS attack, overwhelming a host by initiating but not completing handshakes.
Which phase of the SANS incident response process involves constructing a detailed timeline of events?
Incident Containment
Event Reconstruction
Preparation
Post-Incident Review
Event Reconstruction is the phase where analysts aggregate data to build a chronological timeline. Other phases address readiness, containment, or lessons learned.
0
{"name":"What is the primary purpose of analyzing system logs during a cybersecurity incident?", "url":"https://www.quiz-maker.com/QPREVIEW","txt":"What is the primary purpose of analyzing system logs during a cybersecurity incident?, Which Windows Event Log records user authentication events?, What is the first phase of the NIST incident response framework?","img":"https://www.quiz-maker.com/3012/images/ogquiz.png"}

Learning Outcomes

  1. Analyse system logs to pinpoint intrusion timelines.
  2. Identify key network artifacts in forensic investigations.
  3. Apply incident response frameworks to real-world scenarios.
  4. Evaluate threat indicators and remediation strategies.
  5. Demonstrate chain-of-custody best practices in forensics.
  6. Master evidence preservation techniques for network breaches.

Cheat Sheet

  1. Dive into the NIST Cybersecurity Framework - Get ready to explore the five core functions - Identify, Protect, Detect, Respond, and Recover - in a fun, structured way that levels up your incident response game. By mastering this framework, you'll boost your confidence and tackle cybersecurity risks like a pro. Start your journey with .
  2. Crack the SANS Incident Response Code - Unravel the six dynamic phases of Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned in an engaging, step”by”step fashion. This framework turns complex incidents into manageable challenges you can conquer. Dive deeper at .
  3. Log Detective: Trace Intrusion Timelines - Become a digital sleuth by analyzing logs from firewalls, servers, and IDS systems to reconstruct the hacker's playbook. These detective skills help you spot when and how an attack unfolded, so you can seal the breach faster. Check out .
  4. Artifact Hunter: Spot Network Clues - Hunt down unusual traffic, failed login attempts, and malware signatures like a seasoned investigator. These network artifacts are the breadcrumbs that lead straight to the attacker's methods. Level up your forensics at .
  5. Simulate & Conquer: Real-World Response Drills - Nothing beats hands-on practice! Engage in simulations and case studies to apply NIST and SANS frameworks in scenarios that mimic real attacks. You'll build muscle memory for quick, confident decision-making under pressure. Replay the action with .
  6. Threat Indicator Tracker: Know Your Adversary - Identify key indicators like suspicious IPs, domain names, and file hashes to understand who you're up against. These clues are your secret weapons for effective containment and future prevention. Sharpen your detection tools via .
  7. Lawful Evidence Keeper: Chain-of-Custody Basics - Learn to document every step of evidence collection, handling, and storage so your findings withstand legal scrutiny. Proper chain-of-custody practices ensure the integrity and credibility of your digital proof. Secure your knowledge at .
  8. Forensic Imaging Whiz: Preserve Digital Gold - Master the art of creating bit-perfect forensic images and maintaining meticulous logs to keep evidence pristine. These preservation techniques are critical when you need an unaltered snapshot of compromised systems. Find pro tips in .
  9. MITRE ATT&CK Navigator: Map Attacker Tactics - Chart adversary moves across tactics and techniques to predict and block future strikes before they happen. This framework is like a cheat sheet for spotting attacker patterns and fortifying your defenses. Explore the applications in .
  10. ISO/IEC 27035 Scholar: Mastering Incident Standards - Dive into the structured principles of incident management outlined by ISO/IEC 27035 and discover best practices used by top enterprises. Adopting this standard helps you build a repeatable, scalable response process that keeps your organization resilient. Learn more at .
Make a Quiz (FREE) Copy & Edit This Quiz Create a Quiz with AI

Technology Quizzes

Powered by: Quiz Maker