Run Incident Response and Forensics for Security+ (SY0-701)
Understand incident phases, training, testing, root cause analysis, threat hunting, and evidence handling for Security+.
Incident-response questions on Security+ are about workflow discipline under pressure. The exam wants you to know what happens first, what should be preserved, and how training, tabletop exercises, threat hunting, and lessons learned improve the next response instead of only the current one.
Chain of custody: The documented record of who handled evidence, when they handled it, and how it was transferred or stored.
Order of volatility: The idea that the most fragile evidence should be captured first because it disappears fastest.
What the exam is really testing
CompTIA is usually checking whether you can do three things under pressure:
- keep the order of operations straight
- preserve evidence quality when the scenario implies forensics, legal review, or audit scrutiny
- separate response, hunting, and root cause analysis instead of treating them as the same activity
Incident-response lifecycle
flowchart LR
A["Preparation"] --> B["Identification"]
B --> C["Containment"]
C --> D["Eradication"]
D --> E["Recovery"]
E --> F["Lessons learned"]
What to notice:
- containment happens before eradication
- recovery is not the same as “the incident is over”
- lessons learned are part of the official process, not optional paperwork
Forensics basics Security+ expects
- preserve evidence when it matters
- maintain chain of custody
- document who collected what and when
- prefer methods that minimize evidence alteration where practical
- understand that order of volatility matters
Order of volatility quick table
| Source | Why it matters |
|---|---|
| CPU cache and registers | disappears immediately |
| Memory | highly transient but often rich in attacker artifacts |
| Local disk | more durable but still can be altered by active response |
| Remote logs and centralized telemetry | useful for correlation and may outlive host compromise |
| Archived or backup sources | helpful later, but usually not the first volatile source to capture |
Chain-of-custody example
1case_id: IR-2026-041
2item: laptop-014 memory image
3collected_by: j.singh
4time_utc: "2026-03-28T14:42:00Z"
5hash_sha256: "<computed-hash>"
6transferred_to: m.ortega
7reason: malware investigation
What to notice:
- the record ties evidence to a named artifact and collector
- time and transfer history matter, not just the fact that a file was saved
- hashing supports later integrity verification
Incident decision lens
| If the scenario is really about… | Best first focus |
|---|---|
| malware actively spreading | containment and communication control |
| preserving evidence for a legal or formal review | careful collection and chain of custody |
| understanding whether similar compromise exists elsewhere | threat hunting |
| reducing the chance of repeat failure after recovery | root cause analysis and lessons learned |
Threat hunting and root cause analysis
Security+ also expects you to separate:
- incident response, which handles a detected issue
- threat hunting, which proactively searches for hidden malicious activity
- root cause analysis, which explains why the incident happened and how to reduce repeat risk
These activities overlap, but they are not interchangeable.
Harder scenario question
A workstation used by finance shows signs of active malware beaconing, and legal counsel has already asked the security team to preserve evidence because customer records may be involved. Which response is strongest first?
A. Reimage the workstation immediately so the user can resume work
B. Contain the workstation from the network, preserve relevant volatile and system evidence as safely as possible, and document handling before deeper eradication steps
C. Delete suspicious files manually and skip documentation to save time
D. Wait for the next scheduled tabletop exercise before acting
Best answer: B. The strongest answer balances urgent containment with evidence preservation and documented handling.
Common traps
- eradicating before containment in a live spread scenario
- destroying evidence during cleanup
- confusing recovery with the final lessons-learned review
- treating tabletop exercises as wasted time instead of preparedness
What strong answers usually do
- keep the response phases in order even when the scenario feels urgent
- preserve investigative value when legal, audit, or customer-impact language appears
- separate active response from proactive hunting and from retrospective analysis
- document handling decisions instead of assuming technical containment alone is enough
Quiz
Continue with 4.9 Data Sources & Investigations to connect incident workflow to the evidence and telemetry analysts actually use.