Best DFIR Interview Questions

The best interview questions for Digital Forensics and Incident Response depend on where the candidate is in the hiring funnel. Questions at the beginning or the end of the funnel need to have different characteristics.

Cyber Security Hiring Funnel

Each stage of the hiring funnel reduces the number of candidates

Phone Screen Questions

At the screening stage, questions should be simpler and mostly have a single correct answer. The goal of this stage is to screen out unqualified candidates who would obviously be a bad fit. You don’t have to identify the number one candidate in this stage, just narrow down the pool.

Traditionally, the screening stage consists of recruiters looking at candidates’ resumes and giving promising candidates a phone screen. A better method would be to create a solution that gives candidates realistic technical challenges online, but that takes a significant amount of effort.

How many timestamps exist on an NTFS filesystem for a single file? What are they?

This question tests if the candidate has regularly looked at a Master File Table (MFT) from Windows systems. The timestamps are:

  • Modified
  • Accessed
  • Changed
  • Birth

A set of these timestamps exists for the $FILENAME attribute and the $STANDARD_INFORMATION attribute for each file. That generally means a single file will have eight timestamps.

Please note that there are variations of this answer that can be correct depending on the circumstances and interpretation. Some people refer to "Changed" as "MFT Entry Modified" or they refer to "Birth" as "Created". Mainly listen for if the candidate says something like "three" or doesn’t know any of the timestamps.

Which Windows Event Log shows remote desktop login information on a Windows system?

"Terminal Services Event Log" or "Security Event Log" are both acceptable answers.

13Cubed has an in-depth flow chart on the topic.

In-Person Interview Questions

Good Questions

At the in-person (or virtual, these days) technical interview with an analyst, the interview questions should generally be more complex and have more than one correct answer. It’s better to have questions with layers. The candidate can demonstrate the depth of their knowledge by answering more follow-up questions.

What happens when you type google.com into your browser's address box and press enter?

This is the classic multi-layered question. There are entire github repos dedicated to answering this question in excruciating detail. The candidate might say "DNS" is the first step, and then you can ask them how DNS works, going deeper with each question.

Another option is to use scenario-based questions. Present the candidate with a realistic scenario that you commonly face on the job.

You notice that one of your endpoints is beaconing to a website of a university in China. How do you proceed?

The candidate should ask follow-up questions about what tools they have in the environment, like if they have firewall logs or an EDR agent on the endpoint. There are many correct approaches the candidate can take. They could look at network data, see if any other hosts show similar behavior, collect live response data, etc. If their knee-jerk reaction is to immediately take the endpoint offline, that’s the wrong move. Tell them that taking that single host offline caused five other hosts to start beaconing to the same website. This still gives the candidate a chance to recover.

You are investigating a ransomware infection. The client had their whole environment encrypted. How do you proceed?

The candidate should ask questions that allow them to scope the engagement. How many systems are there? Do they have unencrypted backups available? Which artifacts would the candidate examine first to try to identify patient 0? You can ask questions about why the candidate took their approach. If they took an image or collected live response data, ask about the pros and cons of the other method to uncover biases.

Bad Questions

Trivia Questions

"What port does X service run on?" is a disturbingly common interview question. It’s google-able. It’s not strongly correlated with a candidate’s skill. And it indicates lack of effort on the part of the interviewer. At best, it’s a phone screen question.

Gotcha Puzzle Questions

"You accidentally remove the executable bit from the chmod binary on Linux. How do you restore it?" This is an obscure scenario unlikely to happen to anyone. The trick is to copy the contents of the chmod binary to a binary with executable permissions.

70% of interviewers who ask gotcha questions did not know the answer themselves until they looked it up online. Okay, I made that statistic up, but it’s definitely over half.

Conclusion

Recruiters should ask shorter, easier questions early in the hiring process. Later, in a technical interview, analysts should ask multi-layered or scenario-based questions. A good hiring process will filter out wildly unqualified candidates early and then give other candidates the opportunity to demonstrate their knowledge of real-world topics.