Chapter 7 Checkpoint
The incident-response and forensics toolkit, all together. This mixed quiz pulls from every lesson. Passing means you understand how an organization handles the worst day — containing calmly, investigating rigorously, preserving evidence properly, and making the high-stakes breach call honestly.
The quiz samples from a larger bank each attempt. The chapter's through-line: truth and evidence, not just uptime. A rehearsed process beats panic; evidence integrity beats clever guessing; the timeline answers every important question; and breach determination rewards preparation and honesty. If a question stings, follow its revisit link.
What you should be able to do now
- Run the IR lifecycle — six phases, with preparation and lessons-learned as the decisive bookends.
- Rehearse and recover with tabletops & BC/DR — runbooks/playbooks, running a tabletop, and BIA/RTO/RPO/immutable backups.
- Preserve evidence with chain of custody — order of volatility, imaging, write blockers, and hashing.
- Collect the right forensic artifacts — disk, memory, and network, and what each reveals and misses.
- Reconstruct a timeline — correlate across sources and dodge the timestamp traps.
- Make a breach determination — incident vs. breach, the evidence required, the regulatory clock, and why honesty wins.
The checkpoint
Chapter 7: Incident Response & Forensics
Pass to unlock the Next button belowChapter 7 complete
You now understand the worst day as a disciplined process: a rehearsed lifecycle that stays calm, tabletops and BC/DR that make the prepare and recover phases real, evidence handling that stays trustworthy, artifacts from three sources, a timeline that reconstructs the truth, and a breach determination made on evidence and honesty against a ticking clock. The goal here isn't uptime — it's truth and evidence.
→ On to Chapter 8: Network Security — back to building defenses, starting with the network layer that so many of these attacks traverse, and the segmentation that limits how far an intruder can go.