Incident Response | A+ Core 2

A+ Core 2 — 220-1102 | Domain 2: Security

Incident
Response

The 6-phase IR lifecycle, first responder actions, chain of custody, forensic imaging, and order of volatility. Every step tested on A+ Core 2.

21 Slides Domain 2 Security — 25% IR Lifecycle • Evidence • Forensics • Chain of Custody Exam 220-1102

Slide 2 of 21

The 6-Phase IR Lifecycle

The industry-standard incident response cycle. Memorize phases and order for the exam.

Exam Memory Hook

Preparation comes before any incident. Lessons Learned feeds back into Preparation, making the cycle self-improving. You may see questions asking which phase comes before or after a specific activity.

Slide 3 of 21

What Is a Security Incident?

Any event that threatens Confidentiality, Integrity, or Availability of systems or data.

Common Incident Types

Malware infection (ransomware, worm, RAT)

Unauthorized access to systems or data

Data breach — sensitive data exposed externally

Denial of Service (DoS) attack

Insider threat — misuse of authorized access

Event vs. Incident

Not every event is an incident. A single failed login = event. 500 failed logins in 5 minutes against one account = incident. Context and impact determine severity. When in doubt, report up and let trained personnel classify.

Severity Levels

Critical (Sev 1) — complete business shutdown, all hands

High (Sev 2) — key functions impaired, IR team activated

Medium (Sev 3) — limited impact, single system

Low (Sev 4) — policy violation, no data loss

A help desk ticket comes in: "My computer is acting weird and I clicked a link in an email." This is a potential malware infection — Sev 3 minimum until scoped. Immediate action: quarantine the machine from the network.

Slide 4 of 21

Phase 1: Preparation

Everything done BEFORE an incident occurs. Preparation determines how effectively you can respond.

Preparation Activities

Written Incident Response Plan with defined procedures

Designated IR team with roles and contact list

Communication plan with escalation paths

Regular tabletop exercises and drills

Pre-built documentation templates

IR Tool Kit Essentials

Forensic imaging software (FTK Imager, dd)

Hardware write blockers (critical for evidence)

Evidence bags, tamper-evident tape, labels

Clean bootable media (Linux live USB, WinPE)

Chain of custody forms, camera, USB drives

Why Preparation is Phase 1

Organizations that skip preparation scramble, destroy evidence, and extend recovery time. A rehearsed IR team with documented procedures and the right tools responds faster and with fewer mistakes. Time spent preparing saves multiples during response.

Slide 5 of 21

Phases 2-3: Detection & Containment

Phase 2: Identification / Detection

Detect and confirm a security incident has occurred. Sources: automated IDS/SIEM alerts, user reports, routine log reviews, external notifications. Steps: receive alert → triage (real or false positive?) → scope affected systems → assign severity → notify team.

Phase 3: Containment

Stop the spread and limit the damage. Short-term: disconnect affected systems, disable compromised accounts, block malicious IPs. Long-term: patch unaffected systems, change credentials, implement additional monitoring, prepare clean replacement systems.

Critical Containment Decision

Before disconnecting a system: capture volatile data first (RAM dump, running processes, network connections). Once you pull the network cable, volatile evidence is gone. Balance evidence preservation against limiting damage spread.

Detection Source	Examples
Automated Alerts	IDS/IPS alerts, antivirus detection, SIEM correlation rules, firewall block logs
User Reports	Help desk tickets, direct reports of suspicious behavior or ransomware notices
Routine Monitoring	Log reviews, performance monitoring, vulnerability scan results
External Notification	Law enforcement tip, threat intel feed, vendor advisory, customer report

Slide 6 of 21

Phases 4-5: Eradication & Recovery

Phase 4: Eradication

1

Remove all malware from infected systems

2

Close the attack vector (patch exploited vulnerability)

3

Reset all potentially compromised credentials

4

Reimage systems from known-clean backups if needed

5

Verify all systems are clean before recovery

Phase 5: Recovery

1

Restore clean systems to production one at a time

2

Restore data from verified clean backups

3

Verify all services function correctly

4

Increase monitoring on recovered systems

5

Monitor for weeks — attackers often return via backup access

Slide 7 of 21

Phase 6: Lessons Learned

Hold within 1-2 weeks of incident resolution while details are fresh. This phase feeds directly back into Preparation.

Lessons Learned Meeting Questions

What happened? (Complete timeline from detection to resolution)

How was it detected? Was detection timely?

What worked well in the response?

What failed or was slow?

What policy or tool changes are needed?

What was the total impact (downtime, cost, data loss)?

Deliverables

Updated IR procedures based on findings

Revised security policies addressing identified gaps

New IOCs added to monitoring systems

Additional training scheduled for identified weaknesses

Final incident report for management and compliance

Why Lessons Learned Matters

Organizations that skip lessons learned repeat the same attacks. Each incident is an intelligence opportunity. IOCs from a resolved incident protect against the next one. The IR cycle gets better with every iteration.

Slide 8 of 21

Chain of Custody

The chronological paper trail documenting every person who handled evidence from collection to court.

Required Element	Purpose	Example
Who	Name and signature of each person handling evidence	Jane Smith, Digital Forensics Analyst
What	Detailed description of the evidence item	Dell Latitude 5520, S/N: ABC123, 256GB SSD
When	Date and time of each transfer or access	2024-03-15 14:32 UTC
Where	Location where evidence was stored or transferred	Evidence locker B, Room 204
Why	Reason for each transfer or access	Forensic imaging of hard drive

Legal Consequence of a Broken Chain

A single undocumented transfer can make evidence INADMISSIBLE in court. Defense attorneys challenge chain gaps. Even a minor omission can result in acquittal. Document every single handoff with signature and timestamp.

Slide 9 of 21

First Responder Actions

As an A+ technician you may be the first on scene. Your actions in the first minutes matter enormously.

1

Stay calm — Do not panic or make hasty decisions that could destroy evidence or worsen the situation.

2

Secure the scene — Limit physical and logical access to affected systems. Ask bystanders to step back.

3

Do NOT touch — Avoid altering evidence. Do not "check" by logging in, moving files, or rebooting. You may destroy evidence.

4

Document everything — Start recording observations immediately with exact timestamps. Take photographs of screens and equipment positions.

5

Report up — Notify your supervisor and the designated Incident Response team. Do not attempt full investigation alone.

6

Preserve state — Do NOT power off running systems unless instructed by the IR team. Volatile evidence lives in RAM.

7

Control access — Keep a log of every person who enters the scene area, including their name, role, and timestamp.

Primary First Responder Role

Your job is to PRESERVE EVIDENCE and REPORT UP — not to investigate or remediate on your own unless specifically trained and authorized. Unauthorized "cleanup" destroys forensic evidence.

Slide 10 of 21

Incident Documentation

Element	Details to Capture
Date & time	Exact timestamps of events and actions taken (24-hour UTC format)
Who discovered it	Name, role, department, and contact information of reporter
How discovered	Automated alert, user report, routine check, third-party notification
Systems affected	Hostnames, IP addresses, MAC addresses, physical locations, serial numbers
Actions taken	Every step performed chronologically with who performed each action
Evidence collected	All evidence items with descriptions and storage locations
Witnesses	Names of anyone who observed the incident or response activities

Documentation Language

Write in factual, objective language. Document what you OBSERVED, not what you THINK happened. "The screen displayed a ransom message" not "the computer was attacked by ransomware." Avoid speculation in formal reports.

Legal Hold

When litigation is anticipated, suspend ALL automatic data deletion. Notify custodians. Preserve everything in scope. Destroying data after a legal hold is "spoliation" and carries severe penalties including adverse inference.

Slide 11 of 21

Evidence Types

Digital Evidence

Hard drive forensic images (bit-for-bit copies)

RAM memory dumps

System and application log files

Network packet captures (PCAP files)

Email messages with full headers

Browser history, cache, cookies

Physical Evidence

Computer hardware and peripherals

USB drives and external storage media

Printed documents with sensitive data

Access cards and security badges

Surveillance camera footage

Mobile phones and tablets

Testimonial Evidence

Written witness statements with signatures

Expert testimony from qualified forensic professionals

Documented interviews with involved parties

Incident timeline reconstructed from multiple sources

Slide 12 of 21

Order of Volatility

Collect evidence starting with the MOST volatile (most easily lost) data first. Critical for the exam.

1

CPU registers and cache — Lost immediately when powered off. Nanosecond lifespan. Nearly impossible to capture in practice.

2

RAM (system memory) — Contains running processes, encryption keys, passwords in plaintext, network state, and decrypted data. Disappears on power-off.

3

Network state — Active connections, routing tables, ARP cache, DNS cache. Changes as soon as you disconnect from network.

4

Running processes — Currently executing programs and their memory space. Visible in Task Manager; changes every second.

5

Disk storage — Files, system logs, databases, application data, registry. Persists through reboots.

6

Remote logging data — SIEM logs, syslog server, cloud service audit logs. Off-system, more persistent.

7

Archival / backup media — Backup tapes, USB drives, external storage. Least volatile; may be weeks or months old.

Key Insight for the Exam

Once you power off a running system, items 1-4 are gone FOREVER. This is why IR teams capture RAM dumps and network state BEFORE disconnecting or shutting down systems. Volatile data first, always.

Slide 13 of 21

Forensic Imaging

A bit-for-bit exact copy of a storage device, including deleted files and unallocated space.

Forensic Image vs Regular Copy

Feature	Forensic	Regular
Deleted files	Yes	No
Unallocated space	Yes	No
Bit-for-bit identical	Yes	No
Court admissible	Yes	Generally no

Forensic Tools

FTK Imager — free, GUI-based imaging

dd / dcfldd — command-line Linux imaging

EnCase — enterprise forensic suite

Autopsy — open-source analysis platform

Imaging Process Steps

1

Connect evidence drive through a write blocker

2

Calculate hash of ORIGINAL drive before imaging

3

Create forensic image using validated tool

4

Calculate hash of the forensic image copy

5

Compare hashes — must match exactly

6

Document all steps and hash values in evidence log

Slide 14 of 21

Write Blockers & Hash Verification

Write Blocker

Hardware or software device that allows data to be READ from a storage device while preventing any writes. Essential for forensic imaging — without it, the act of connecting the drive modifies metadata (access timestamps), contaminating evidence. Hardware write blockers are preferred over software.

Hash Verification

A cryptographic hash is a digital fingerprint of data. Calculate MD5 and SHA-256 of the original evidence and the forensic copy. If even one bit changes, the hash changes completely. Matching hashes prove the copy is an exact duplicate and the original has not been altered.

Hash Algorithm	Output Size	Status	Use Case
MD5	128-bit (32 hex chars)	Collision vulnerability known; still used for speed	Legacy forensics, quick integrity checks
SHA-1	160-bit (40 hex chars)	Deprecated; collision demonstrated 2017	Avoid for new forensic work
SHA-256	256-bit (64 hex chars)	Current standard — secure	All forensic imaging; preferred over MD5
SHA-3	Variable (256/512-bit)	Current — alternative to SHA-2 family	High-assurance environments

Best Practice

Calculate BOTH MD5 and SHA-256. MD5 is fast and widely accepted; SHA-256 provides higher assurance. Document both values in the chain of custody form. Never work on the original evidence — always analyze the forensic copy.

Slide 15 of 21

Device Handling: Computers

If the Computer is RUNNING

Do NOT power off — volatile data will be lost permanently

Photograph the screen showing current state

Capture RAM using FTK Imager or WinPmem

Record running processes and active network connections

Record logged-in users and open files

Power off ONLY after volatile data is fully captured

If the Computer is OFF

Do NOT power on — could trigger malware, modify timestamps, overwrite evidence

Remove the hard drive and connect via write blocker for imaging

Alternatively, boot from a forensic live USB to image the drive

Document all physical connections and cable positions before disturbing

BitLocker / Full Disk Encryption Special Case

If the running system uses BitLocker or similar full-disk encryption, powering off will LOCK the drive. Capture the decryption key from memory BEFORE shutdown. A locked encrypted drive without the key is functionally unreadable evidence.

Slide 16 of 21

Device Handling: Mobile Devices

Immediate Actions

Enable Airplane mode — prevents remote wipe commands

Use a Faraday bag — blocks ALL wireless signals (cellular, Wi-Fi, Bluetooth, NFC)

Keep device charged — a dead battery may mean permanently locked out

Do NOT attempt to unlock — failed attempts may wipe the device

Document visible state — photograph screen, note locked/unlocked status

Mobile Evidence Types

Evidence	Location
Call logs	Phone app, carrier records
Text messages	SMS/MMS database, messaging apps
Location data	GPS history, cell towers, Wi-Fi APs
App data	Social media, email, browser
Photos/Videos	Camera roll + EXIF metadata

Faraday Bag vs Airplane Mode

Airplane mode stops active connections but the device can still receive signals if airplane mode fails or is bypassed. A Faraday bag physically blocks all RF signals regardless of software state. Use BOTH for maximum isolation of critical evidence.

Slide 17 of 21

Incident Severity & Reporting Requirements

Severity	Description	Response	Example
Critical (Sev 1)	Business shutdown or major breach	All hands, executive + legal notification, 24/7	Ransomware encrypting production servers
High (Sev 2)	Significant impact to key functions	IR team activated, management notified	Active intruder on internal network
Medium (Sev 3)	Limited to single department/system	Assigned to IR team, tracked in ticketing	Single workstation malware infection
Low (Sev 4)	Minimal impact, policy violation	Document and monitor; standard process	Employee accessing a blocked website

Internal Reporting

Management • Legal department • HR (if employee is involved) • Board / executives for Sev 1-2 • Public relations if media exposure is likely • Cyber insurance carrier (within policy timeframe)

External Reporting

Law enforcement if criminal activity suspected • GDPR: supervisory authority within 72 hours of breach discovery • HIPAA: HHS within 60 days; media notification for 500+ affected individuals • State breach notification laws vary by jurisdiction

Slide 18 of 21

Forensic Tools & RAM Capture

RAM Capture Tools

FTK Imager — GUI-based, captures RAM and disk, Windows

WinPmem — command-line Windows RAM dump

Volatility — RAM image analysis framework (runs on RAM dumps)

DumpIt — single executable RAM capture, no install required

Disk Imaging Tools

FTK Imager — free, creates forensic images (E01, raw)

dd / dcfldd — Linux command-line bit-copy

EnCase — enterprise suite, court-recognized

Autopsy — open-source analysis on images

Network Capture Tools

Wireshark — GUI packet capture and analysis

tcpdump — command-line packet capture (Linux/Mac)

NetworkMiner — passive network forensics from PCAP

netstat -an — active connections at time of capture

Slide 19 of 21

Incident Indicators & IOCs

Indicators of Compromise (IOCs) are artifacts that indicate a breach has occurred or is in progress.

Category	Indicators
System	Unusual processes, high CPU/memory, disabled security software, unexpected services running
Network	Unexpected outbound traffic, connections to unknown IPs, bandwidth spikes, unusual DNS queries, beaconing
Account	Multiple failed logins, lockouts, privilege escalation, logins at unusual hours or from foreign IPs
Data	Modified or deleted files, unauthorized database queries, large data transfers, unexpected encryption
Physical	Tailgating incidents, tampered equipment, missing devices, unauthorized visitors in secure areas
Application	Unexpected error messages, crashes, unauthorized config changes, new admin accounts created

Report When in Doubt

Organizations prefer over-reporting to under-reporting. A reported false alarm costs analysis time. A missed incident costs the organization data, reputation, and potentially regulatory fines. When you see something, say something.

Slide 20 of 21

Knowledge Check

Three exam-style questions covering the incident response process.

Q1: IR Phase Order

What is the correct order of the first three IR phases?

A) Preparation, Identification, Containment • B) Identification, Containment, Preparation • C) Containment, Eradication, Recovery • D) Detection, Preparation, Recovery

Answer: A) Preparation, Identification, Containment. Preparation always comes first, before any incident occurs.

Q2: Most Volatile Data

What is the MOST volatile type of data in the order of volatility?

A) Hard drive files • B) CPU registers and cache • C) RAM contents • D) Network connections

Answer: B) CPU registers and cache — Lost instantly on power-off. RAM is #2, network state is #3.

Q3: Mobile Device Isolation

What device physically blocks ALL wireless signals from a mobile phone during evidence handling?

A) Write blocker • B) USB isolator • C) Faraday bag • D) Signal jammer

Answer: C) Faraday bag — Physically blocks cellular, Wi-Fi, Bluetooth, and NFC signals. Signal jammers are illegal.

Slide 21 of 21

Chapter Summary

01

6 IR Phases: Preparation → Identification → Containment → Eradication → Recovery → Lessons Learned. Preparation is Phase 1, always before an incident.

02

First responder role: Secure the scene, document everything, report up. Do NOT investigate or remediate alone. Preserve evidence above all.

03

Chain of custody: Who, what, when, where, why. Every single transfer documented with signatures. One gap = inadmissible evidence in court.

04

Order of volatility: CPU registers → RAM → Network state → Processes → Disk → Remote logs → Archives. Capture most volatile first.

05

Forensic imaging: Bit-for-bit copy using write blockers. Verify integrity by comparing MD5 and SHA-256 hashes of original and copy.

06

Running computer: Capture RAM, processes, and network state BEFORE powering off. BitLocker key also lives in RAM.

07

Computer that is off: Do NOT power on. Remove drive and image through a write blocker, or boot from forensic live USB.

08

Mobile devices: Airplane mode + Faraday bag. Keep charged. Do NOT attempt to unlock. Document visible screen state immediately.

09

Legal hold: Preserve all relevant data when litigation is anticipated. Destroying data after a legal hold is spoliation — severe legal consequences.

10

Lessons Learned feeds back into Preparation, making the cycle self-improving. New IOCs are added to monitoring. Gaps are closed.