Back to CompTIA Security+ (CompTIA Security+)

Incident Response and Forensics

Handling and investigating security incidents

This section focuses on preparing for security incidents, detecting and analyzing them, as well as learning how to respond and recover from them. Digital forensics techniques are also explored.
5 minutes 5 Questions

Incident Response and Forensics are critical components of cybersecurity covered in the CompTIA Security+ certification. Incident Response is a structured methodology organizations follow when dealing with security breaches or cyberattacks. A comprehensive incident response plan typically follows …

Concepts covered: Incident Classification, Incident Containment, Chain of Custody, Incident Recovery, Incident Recovery and Post-Incident Analysis, Digital Forensic Investigation Process, Digital Evidence Collection, Incident Analysis, Forensic Imaging, Incident Detection and Analysis, Post-Incident Activity and Lessons Learned, Live Forensics, Incident Identification, Live System Forensics, Incident Eradication, Incident Containment, Eradication, and Recovery, Incident Prevention and Detection, Network Forensics, Malware Analysis and Reverse Engineering, Incident Response Plan, eDiscovery, Digital Forensic Analysis Techniques, Incident Follow-Up, File System Forensics, Containment, Eradication, and Recovery, Incident Recovery, Post-Incident Review, Incident Response Team, Incident Containment, Incident Classification, Incident Detection and Analysis, Incident Response Retrospective Analysis, Network Forensics, Incident Reporting and Communication, Live Data Forensics, Incident Eradication, Post-Incident Analysis

Test mode:
Start practice test
CompTIA Security+ - Incident Response and Forensics Example Questions

Test your knowledge of Incident Response and Forensics

Question 1

An investigator is analyzing a user's computer that is suspected of being involved in data exfiltration. The investigator notices multiple connections to an external IP address. What should the investigator do first?

Correct Answer: Document the findings

In digital forensic analysis, the first step after noticing any suspicious activity is to document the findings. This helps to maintain the chain of custody and can be crucial for further investigation and potential legal action. Blocking the IP address, shutting down the computer, confronting the user, ignoring the findings, or running a virus scan should only be done after proper documentation.

Question 2

An investigator is working on a case involving credit card fraud. The suspect's computer has been flagged for a potential breach. Which type of data should be checked first for potential evidence?

Correct Answer: Browser history

In a case of credit card fraud, checking the suspect's browser history can provide valuable information and potential evidence. System logs, deleted files, unallocated space, temporary files, and email attachments might also provide evidence, but the browser history should be prioritized due to its relevance to online transactions.

Question 3

An IT security team has discovered that a network intrusion was caused by an unauthorized external attacker. Which of the following steps should immediately be taken?

Correct Answer: Contain the incident

In incident response, the first step after analysis is containment to limit the damage caused by the intrusion. Other options are not immediate priorities.

More Incident Response and Forensics questions
96 questions (total)
Start 96 question test