Incident response

4.6 Explain the importance of prohibited content/activity and privacy, licensing, and policy concepts.

📘CompTIA A+ Core 2 (220-1202)

Incident response is a set of procedures that an organization follows when a security event or policy violation happens.

For the exam, you must understand:

  • What incident response is
  • Why it is important
  • The correct steps to follow
  • How to preserve evidence properly
  • Legal and documentation requirements

This section is very important for scenario-based questions.

1. What Is Incident Response?

An incident is any event that violates company policy or security rules.

Examples in an IT environment:

  • A user downloads illegal software.
  • Malware infects a workstation.
  • Sensitive data is stolen.
  • An employee accesses files they are not allowed to see.
  • A server is compromised by an attacker.

Incident response is the structured process used to:

  • Detect the issue
  • Contain it
  • Preserve evidence
  • Report it properly
  • Prevent it from happening again

2. Why Incident Response Is Important

For the exam, remember these key reasons:

1. Protect Data

Stops further data loss or damage.

2. Maintain Business Operations

Quick response reduces downtime.

3. Preserve Legal Evidence

Evidence must be handled properly if law enforcement becomes involved.

4. Follow Company Policies

Organizations must follow internal security policies and compliance requirements.

3. Basic Steps of Incident Response (High-Level Overview)

You are not expected to know deep cybersecurity frameworks, but you should understand the basic flow:

  1. Identification – Detect the issue.
  2. Containment – Stop the damage from spreading.
  3. Eradication – Remove the threat.
  4. Recovery – Restore systems safely.
  5. Documentation – Record everything.

Now let’s focus on the specific exam objectives.

4. Chain of Custody

What Is Chain of Custody?

Chain of custody is a documented record of who handled evidence and when.

It proves that evidence was not altered, tampered with, or damaged.

This is very important if:

  • The case goes to court
  • Law enforcement becomes involved
  • Internal investigation is required

Why It Matters

If you cannot prove who handled the device or data:

  • Evidence may be rejected in court.
  • The organization may face legal consequences.
  • The investigation may fail.

What Must Be Recorded?

Chain of custody documentation includes:

  • Who collected the evidence
  • Date and time it was collected
  • Where it was stored
  • Who accessed it
  • When it was transferred
  • Why it was transferred

Every transfer must be documented.

Example in IT Environment

If a laptop contains stolen company data:

  • The IT technician collects it.
  • It is placed in secure storage.
  • It is later handed to the security team.
  • It may be transferred to law enforcement.

Each step must be recorded.

5. Informing Management or Law Enforcement

Do NOT Act Alone

As a technician, you must follow company policy.

You should:

  • Inform your supervisor
  • Inform the security team
  • Follow escalation procedures

When to Involve Law Enforcement

Law enforcement may be required if:

  • There is criminal activity
  • Data theft occurred
  • Financial fraud happened
  • Illegal content is discovered
  • Regulatory laws require reporting

Important Exam Tip

Technicians should never contact law enforcement directly unless company policy says so.

Always:

  1. Follow company policy.
  2. Notify management.
  3. Escalate properly.

6. Copy of Drive (Data Integrity and Preservation)

Why You Should NOT Work on the Original Drive

When investigating an incident:

  • Never modify the original drive.
  • Do not boot from it normally.
  • Do not open files directly.

This can:

  • Change timestamps
  • Modify metadata
  • Destroy evidence

Proper Procedure

You must create a forensic image (bit-by-bit copy) of the drive.

This ensures:

  • Original data remains untouched.
  • Investigation is done on a copy.
  • Evidence is preserved.

Data Integrity

To prove data was not altered, technicians use:

  • Hash values (such as SHA or MD5)

A hash creates a digital fingerprint of the data.

If the hash of the original and the copy match:
→ The copy is identical.

Key Exam Points

  • Always work on a copy.
  • Preserve the original.
  • Use write blockers when necessary.
  • Verify integrity with hashing.

7. Incident Documentation

Documentation is critical.

If it is not documented, it did not happen.

What Should Be Documented?

  • Date and time of incident
  • How it was discovered
  • Systems affected
  • Actions taken
  • People notified
  • Evidence collected
  • Final resolution

Why Documentation Is Important

  • Provides legal protection
  • Helps with future investigations
  • Helps improve security policies
  • Required for audits and compliance

Best Practice

Documentation should be:

  • Clear
  • Detailed
  • Accurate
  • Objective (no personal opinions)

8. Order of Volatility

This is a very common exam question.

What Is Order of Volatility?

Order of volatility refers to the order in which you collect evidence, starting with the most temporary (easily lost) data first.

Some data disappears quickly when a system is powered off.

Correct Order (From Most Volatile to Least Volatile)

  1. CPU cache and registers
  2. RAM (memory)
  3. Network connections and processes
  4. Temporary files
  5. Hard drive data
  6. Backup media

Why This Matters

If you shut down a system before collecting volatile data:

  • RAM contents are lost.
  • Active network sessions disappear.
  • Running processes cannot be examined.

Example in IT Environment

If a server is compromised:

Before powering it off:

  • Capture memory.
  • Record active network connections.
  • Document running processes.

Then proceed with further actions.

9. Important Exam Reminders

For scenario questions, remember:

✔ Preserve Evidence

Do not modify original data.

✔ Follow Company Policy

Escalate properly.

✔ Maintain Chain of Custody

Document every transfer.

✔ Capture Volatile Data First

Before shutting down systems.

✔ Document Everything

Keep accurate records.

10. Common Exam Mistakes to Avoid

❌ Immediately shutting down a system
❌ Investigating without authorization
❌ Working directly on the original drive
❌ Failing to notify management
❌ Not documenting actions

Final Exam Summary (Must Remember)

Incident response in CompTIA A+ focuses on:

  • Proper handling of security incidents
  • Preserving digital evidence
  • Following company policy
  • Maintaining legal compliance
  • Protecting data integrity

Key terms you must know:

  • Incident response
  • Chain of custody
  • Forensic image
  • Hash value
  • Data integrity
  • Order of volatility
  • Documentation
  • Escalation procedures
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by