Exercises: Digital Forensics for Defenders

These exercises move from the rules of sound acquisition to the judgment of a working investigator. Difficulty is marked ⭐ (recall/application), ⭐⭐ (analysis), and ⭐⭐⭐ (synthesis/open-ended). A dagger (†) marks problems with a full worked solution in Appendix: Answers to Selected Exercises — try every problem before you read one.

Every hands-on suggestion assumes systems you own or are explicitly authorized to investigate (the authorization rule from Chapter 1). All logs and scenarios are illustrative (Tier 3); IPs are in documentation ranges. Where a problem asks you to "preserve," the order of your actions is graded as much as the answer.

Part A — Core vocabulary and process ⭐

1.† In one sentence each, define order of volatility, chain of custody, write blocker, and forensic artifact. Then write one sentence that uses all four correctly in the context of imaging a compromised laptop.

2. Classify each as a volatile or non-volatile evidence source, and rank the volatile ones from most to least volatile: (a) the $MFT on disk; (b) the contents of RAM; (c) the ARP cache; (d) a log already forwarded to the SIEM; (e) CPU registers; (f) a backup tape in a vault.

3. Explain the difference between incident response (Chapter 24) and digital forensics in one paragraph, and give one situation where their goals directly conflict and how the order-of-volatility discipline resolves it.

4.† Why is analysis performed on the image and never on the original drive? State two distinct reasons, and describe what you would do if your only image fails its post-acquisition hash check.

5. A colleague says, "We hashed the image with MD5, so we're fine." Give the nuanced correct response: when is an MD5 match adequate, when is it not, and what should be recorded instead.

6. Match each artifact to the question it best answers: artifacts = {Prefetch, $MFT, Windows Event ID 4624, registry Run key, Windows Event ID 1102}; questions = {Did this program run? When was this file created? How did this account log on? How did the attacker persist? Did someone clear the log?}.

Part B — Preserve the evidence (order of volatility) ⭐⭐

7.† Respond to this incident (preservation). You are called to a running Windows server that the SOC believes is actively compromised but is not currently encrypting files or exfiltrating data. You have a write blocker, an external drive, a trusted memory-capture tool, and authorization. Write the ordered list of preservation steps you would take, and justify the position of memory capture and disk imaging in that order.

8. Change one fact in Exercise 7: the server is actively running ransomware that is encrypting files right now, and you cannot complete a memory capture before significant damage occurs. Does your order change? What are you knowingly sacrificing, and why might that trade still be correct?

9.† A junior responder "froze" a suspect workstation by pulling its power cord the moment they arrived, then proudly imaged the disk. List exactly what evidence was destroyed by that action, and write two sentences you would say to coach them — without discouraging the instinct to act fast.

10. Harden it (forensic readiness). Meridian's current logging keeps Windows Security events for 7 days on each host only, with no central collection. The attacker in the chapter had a dwell time of three weeks and cleared local logs on the way out. List three specific changes to this configuration that would have preserved the evidence, and tie each change to a concept from §25.6.

11. You must image a 4 TB drive but the incident is moving fast and full imaging will take hours. Describe the trade-offs of triage acquisition (collecting key artifacts first) versus full imaging, and state when each is appropriate. What do you risk by collecting only artifacts?

Part C — Analyze the artifact ⭐⭐

12.† Analyze this artifact. You pull these (illustrative) records from a compromised Windows host. All times UTC.

[Security.evtx]
08:01:55  EventID 4625  Logon FAILED  type=10 (RDP)  Account=administrator  Source=203.0.113.7
08:02:09  EventID 4625  Logon FAILED  type=10 (RDP)  Account=administrator  Source=203.0.113.7
08:02:31  EventID 4624  Logon OK      type=10 (RDP)  Account=administrator  Source=203.0.113.7
08:05:12  EventID 7045  Service installed  Name="UpdateSvc"  ImagePath=C:\Users\Public\u.exe
[Prefetch]
U.EXE-1A2B3C4D.pf   run count=1   last run=2025-05-02 08:05:40

(a) Narrate what happened, in order, in plain English. (b) Which two Event IDs together indicate a successful brute-force / password-guessing of RDP? (c) What does the Prefetch entry add that the event log alone does not? (d) Name one control that would have prevented the initial access.

13. Analyze this artifact ($MFT).** A file `C:\Windows\Temp\svc.exe` shows these `$MFTtimes:Standard-Information CREATED = 2025-05-02 08:04:50, butFileName-attribute CREATED = 2017-03-11 12:00:00`. (a) What anti-forensic technique does this discrepancy indicate? (b) Which timestamp do you trust more, and why? (c) Why is it valuable that NTFS keeps two sets of timestamps?

14.† Analyze this artifact (Linux). On a Linux web server you find:

[/var/log/auth.log]
May  2 08:30:01  sshd[2211]: Accepted password for deploy from 203.0.113.7 port 51002
May  2 08:31:44  sudo: deploy : COMMAND=/bin/bash
[deploy ~/.bash_history]
(empty file, 0 bytes)
[crontab -l for user deploy]
*/10 * * * * /tmp/.cache/beacon.sh

(a) Reconstruct the activity. (b) The .bash_history is empty on an account that clearly ran commands — what does that tell you, and is it a dead end? (c) What is the cron entry, and what stage of the attack does it represent?

15. You find Windows Event ID 1102 ("the audit log was cleared") at 14:00, and the Security log contains no events at all before that time. A teammate concludes "the attack started at 14:00." Explain why that conclusion is wrong and what the 1102 event actually tells you.

16.† Explain why the absence of evidence (a cleared log, an empty history, a deleted-but-prefetched binary) is itself evidence. Give two concrete examples from the chapter and say what each lets you conclude.

Part D — Build the timeline ⭐⭐–⭐⭐⭐

17.† Build the timeline. Merge these three illustrative sources into one UTC-sorted, source-tagged timeline, then write one sentence identifying the probable initial access.

SOURCE: Windows Security (UTC)
  09:15:22  service installed "Helper" -> p.exe
  09:14:50  network logon  account=svc_sql
SOURCE: $MFT (UTC)
  09:14:58  C:\ProgramData\p.exe  created
SOURCE: Firewall/VPN (UTC)
  09:03:11  VPN connect  user=mwong  src=198.51.100.20

18. In Exercise 17, suppose the Windows Security source was reported in US-Eastern local time (UTC−4 during daylight time) while the others were already UTC, and nobody noticed. Recompute the merged order and explain how the un-normalized source corrupts the narrative. Which normalization step was skipped?

19.† A timeline built only from a host's local event log shows the first attacker activity at 03:02, immediately after which the log was cleared. Two off-host sources (a VPN log and NetFlow) show related activity at 02:02 and 02:30. (a) What is the danger of trusting only the local log? (b) Which sources do you weight most heavily, and why? (c) Restate the corrected initial-access time.

20. Design it. You are designing the inputs to a timeline for Meridian before any incident happens. List five log/artifact sources you would ensure are collected and time-synchronized (referencing NTP), and for each, name one attack stage it would help reconstruct. Why is consistent time synchronization across sources a forensic requirement, not just an IT nicety?

Part E — Scope the breach & root cause ⭐⭐–⭐⭐⭐

21.† Scope the breach. Your only confirmed indicator is a malicious file hash found on one server. Write the ordered sequence of pivots you would perform to determine the full scope of the compromise, naming the new indicator you expect to find at each step. Where does this process typically converge?

22. A scope investigation finds the attacker's tools and a compromised service account on four hosts — including a database server holding customer PII. Explain precisely why this single finding changes the company's legal and regulatory obligations, and what forensic question must now be answered to decide whether to notify.

23.† Root-cause analysis. For the chapter's Meridian case, the proximate event was "ransomware ran on FS-01." (a) State the root cause the investigation found. (b) Explain why rebuilding FS-01 does not address it. (c) Name the specific control fix at the root-cause level and the earlier chapter that owns that control. (d) Where does this RCA finding go in the security program?

24. Distinguish proximate cause from root cause with a non-security analogy of your own, then map your analogy onto the Meridian incident. Why do investigations that stop at proximate cause guarantee recurrence?

25. ⭐⭐⭐ Write the policy. Draft a one-paragraph evidence-handling procedure snippet for Meridian's forensic-readiness standard: cover order-of-volatility acquisition, the write-blocker-and-hash requirement, chain-of-custody documentation, and the point at which legal counsel is engaged. Write it as a policy would read, in imperative voice.

Part F — CTF-style challenge ⭐⭐⭐

26.† The investigation that destroyed its own case. An eager admin discovers ransomware on a server at 22:00. Wanting to help, they: log in to the server as domain admin to "look around," open and read several suspicious files, run an antivirus full scan, delete the malware they find, reboot the server twice, and then call the SOC at 23:30 saying "I cleaned it up — what do you need?" Identify every forensic error in this sequence (there are at least six), state what evidence each error likely destroyed or contaminated, and write the corrected first-30-minutes procedure the admin should have followed instead. (Part of the challenge is recognizing that some damage is irreversible — say so.)

Part G — Interleaved & forward-looking ⭐⭐

27. Interleaved (Ch. 22 + Ch. 25). The ioc_match-style search you built in detection (Chapter 22) and the scoping pivot in this chapter are the same operation run for different reasons. Explain the difference in purpose and timing between using an indicator for detection versus for scoping, and why the same centralized telemetry serves both.

28. Interleaved (Ch. 11 + Ch. 25). Pick two host-hardening measures from Chapter 11 and explain how each also improves forensic readiness — i.e., how hardening a host before an incident makes the post-incident investigation easier or more reliable.

29. Interleaved (Ch. 24 + Ch. 25). During a tabletop, the team must decide whether to immediately power off a server that is beaconing to a command-and-control host. Argue both sides using containment (Ch. 24) and order of volatility (Ch. 25), then state the decision you would make and the one action that lets you have it both ways.

30. ⭐⭐⭐ Open reflection. This chapter argues that "forensics is won or lost before the incident." Write half a page on what that implies for how a security engineer (not just an analyst) should think about logging, retention, and host visibility when designing systems. What would you build differently if you assumed every system you deploy will someday be a crime scene?

Solutions to daggered (†) problems are in the Answers appendix. The remaining problems are deliberately open — bring them to a study group or your instructor.