DFIR Interivew Questions

The following was a post I wrote for my blogger about a year ago. Not only do I think the concept of the post is very relevant, but I felt it needed an update before reposting.

Interviewing is a significant part of the life of a DFIR professional, whether you are performing the interview or being interviewed. There is a wide range of thought as to how an interview should be performed. Some teams do one-on-one interviews with the manager and the candidate. Other teams do a panel interview where anyone with some seniority on the team interviews the candidate. Then there are the types of questions. Should interviews be primarily technical or should they be cultural? Should there be a hands-on technical portion of the interview?

I really think we need to reflect on the purpose of an interview and take into account the whole person. Technical skills can often be learned, many times on the job. The focus should be on the personality of the individual. Determine whether they have the right passion for the topic. Too often I have gotten the Port/Protocol trivia during the interview. Of course someone being hired into an incident response position should know that DNS runs on UDP 53 for normal name resolution and TCP 53 for zone transfers. But moving beyond the common well-known ports will only lead the interview into a zone of confusion.

We also may have to accept that DFIR is not rocket-science. Certainly it is a lot of fun. It can be very challenging when the puzzle is complex. But mostly DFIR involves validating that our cybersecurity tools are working properly through the user of digital forensic techniques. Did the anti-virus actually stop the ransomeware infection? Are there other hosts that were compromised?

I was sitting at work thinking about some good interview questions for a person who was trying for a job in incident response, forensics, and malware analysis. This line of thought was motivated by a recent blog post I read about T-Shaped Analysts. http://www.realcybercrime.com/the-t-shaped-analyst/ The idea is that every analyst should have a list of basic skills and should specialize in a topic of their choice.

An interview serves three purposes. First in a technical position we want to see if they have a basic understanding of the field. This is not a certification exam and the questions should not be simple trivia. Reasonably even some experienced candidates cannot memorize obscure facts. Second we want to see if the candidate can solve some scenario based problems, particularly those directly related to the job they are entering. These questions should be framed in a way that there is more then one answer. There will certainly be wrong answers, there is not a single answer that is correct. Thirdly we want to see if they will be a good fit for the work-place culture that exists or that we are trying to cultivate.

The following questions are just some ideas for good interview questions. It would not be wise to ask a prospective employee all of these questions. You want to be sure that they have some time to ask questions themselves about the company.

Update 2016–08–23: I added some more general interview questions, which certainly are not Incident Response specific. I really need to update some of the technical questions too. Will update that later.

Topic Opener

Is a hotdog a sandwich?

Tell me about your current job. Give me a brief summary of that job — just a few sentences to outline your major duties and responsibilities. What are the standards of successful performance? How well did you meet them?


Let’s talk about a major accomplishment you’re proud of in your current job (previous job, education).

What was the Problem or challenge?

What Action did you take?

What was the Result?

What did you Learn?

How have you Applied it?

Self-Appraisal What qualities did you use to accomplish that? Give me examples where you demonstrated those qualities.

If I called (name of manager, peer, direct report, or client) how would he/she say you were able to . . ?

General Cultural:

How is your lab configured at home? If you do not have a lab, how would you setup one?

Are there any blogs you follow?

What motivates your interest in the cyber security field?

What is a topic you are currently studying?

Networking 101:

What port does DNS operate on?

If connectivity is lost on a workstation, what is the first think you should check?

You are a network administrator who has been assigned a class C subnet and want to split that subnet in half, how would you configure the subnet mask?

When a Ethernet frame passes through a router, what happens to the MAC address?

What is Network Address Translation?

What happens when you type ‘http://www.google.com’ into your web browser? (Stole this one from @mubix)

System Administration 101:

How would you tell from the command line what the MAC address is of one of your network interfaces?

What is the version number of Windows 7?

Where would you go to view the installed device drivers on a system?

What tool could you use to remotely administer a Windows host through the command line?

What log would show login information on a Windows host?

How would you setup a scheduled job on a GNU/Linux machine?

Cyber Security 101:

Explain the difference between a firewall, intrusion prevention system, and a intrusion detection system?

What is a disadvantage of signature based malware detection?

What is a zero-day vulnerability?

A user reports that they received a suspicious looking email. How do you proceed?

Programming 101:

What is a function?

What is the difference between an interpreted language and a compiled language? What are the advantages and disadvantages between the two?

What is machine code?

Do you have a programming language you prefer? Do you have any experience writing software?

Digital Forensics:

What is timeline analysis? What is the pivot point in timeline analysis?

What is a registry hive? What registry hive is only found in volatile memory?

What is the difference between Modified time-stamp and Change time-stamp? What is the Birth time-stamp generated?

An incident has been reported that an enterprise host was identified communicating with a known malicious external host. The incident responders have already blocked the communication and have requested the disk for forensic investigation. You are the forensic analyst on duty when the disk arrives. How will you begin the investigation?

Developing IOCs from Malware Samples (a.k.a. Malware Analysis for IR):

What is static analysis?

What is dynamic analysis?

What type of items do you look for during static analysis?

How does static analysis influence how dynamic analysis is performed?

Why would you disassemble or debug an application?

What is a Windows Portable Executable?

How would a piece of malware maintain persistence?

What is the ESP register used for in the Intel x86–32 architecture?

During execution of a piece of malware in a segregated virtual lab environment, the sample was observed making an HTTP GET request for a text file. Because the lab is segregated from the Internet, the sample did not receive the text file. What would you do to move the investigation forward?

Originally published at aubsec.github.io on April 17, 2016.