Back to CompTIA Security+ (CompTIA Security+)

Incident Response and Forensics

Handling and investigating security incidents

5 minutes 5 Questions

Incident Response and Forensics are critical components of cybersecurity covered in the CompTIA Security+ certification. Incident Response is a structured methodology organizations follow when dealing with security breaches or cyberattacks. A comprehensive incident response plan typically follows …

Key Concepts 37
Incident ClassificationIncident ContainmentChain of CustodyIncident RecoveryIncident Recovery and Post-Incident AnalysisDigital Forensic Investigation ProcessDigital Evidence CollectionIncident AnalysisForensic ImagingIncident Detection and AnalysisPost-Incident Activity and Lessons LearnedLive ForensicsIncident IdentificationLive System ForensicsIncident EradicationIncident Containment, Eradication, and RecoveryIncident Prevention and DetectionNetwork ForensicsMalware Analysis and Reverse EngineeringIncident Response PlaneDiscoveryDigital Forensic Analysis TechniquesIncident Follow-UpFile System ForensicsContainment, Eradication, and RecoveryIncident RecoveryPost-Incident ReviewIncident Response TeamIncident ContainmentIncident ClassificationIncident Detection and AnalysisIncident Response Retrospective AnalysisNetwork ForensicsIncident Reporting and CommunicationLive Data ForensicsIncident EradicationPost-Incident Analysis
Test mode:
Start practice test
CompTIA Security+ - Incident Response and Forensics Example Questions

Test your knowledge of Incident Response and Forensics

Question 1

An investigator is analyzing a user's computer that is suspected of being involved in data exfiltration. The investigator notices multiple connections to an external IP address. What should the investigator do first?

Correct Answer: Document the findings

In digital forensic analysis, the first step after noticing any suspicious activity is to document the findings. This helps to maintain the chain of custody and can be crucial for further investigation and potential legal action. Blocking the IP address, shutting down the computer, confronting the user, ignoring the findings, or running a virus scan should only be done after proper documentation.

Question 2

An investigator is working on a case involving credit card fraud. The suspect's computer has been flagged for a potential breach. Which type of data should be checked first for potential evidence?

Correct Answer: Browser history

In a case of credit card fraud, checking the suspect's browser history can provide valuable information and potential evidence. System logs, deleted files, unallocated space, temporary files, and email attachments might also provide evidence, but the browser history should be prioritized due to its relevance to online transactions.

Question 3

An IT security team has discovered that a network intrusion was caused by an unauthorized external attacker. Which of the following steps should immediately be taken?

Correct Answer: Contain the incident

In incident response, the first step after analysis is containment to limit the damage caused by the intrusion. Other options are not immediate priorities.

More Incident Response and Forensics questions
96 questions (total)
Start 96 question test