FlashGenius Logo FlashGenius
2026 CISSP Study Guide β€” Domain 7

Preparation Β· Detection & Analysis
Containment / Eradication / Recovery Β· Post-Incident

Incident Response for the CISSP exam β€” NIST 800-61 phases, order of volatility, chain of custody, forensic imaging, CSIRT roles, and 10 scenario questions modeled on real exam items.

πŸ”΄ Preparation β€” CSIRT, policies, tools πŸ”΅ Detection & Analysis β€” IOCs, triage 🟒 Contain / Eradicate / Recover β€” isolate, clean, restore 🟣 Post-Incident β€” lessons learned, reporting
πŸ§ͺ Take the 10-Question Quiz β†’
Overview

NIST 800-61 Incident Response Lifecycle

CISSP tests your ability to sequence IR phases correctly, identify the right action at each phase, handle evidence properly, and understand CSIRT roles.

The NIST 800-61 IR Lifecycle β€” Cyclical, Not Linear

πŸ”΄ Preparation
β†’
πŸ”΅ Detection & Analysis
β†’
🟒 Containment · Eradication · Recovery
β†’
🟣 Post-Incident Activity
↩

Lessons learned from Post-Incident Activity feed back into Preparation β€” strengthening policies, tools, and training before the next incident. The cycle never truly ends.

πŸ”΄
Preparation
Establish the CSIRT, define incident response policy, deploy monitoring tools, create contact lists, conduct training, and set up communication channels β€” before any incident occurs.
CSIRT formation IR policy Tools & training
πŸ”΅
Detection & Analysis
Identify indicators of compromise (IOCs), correlate events from SIEM/logs/IDS, determine scope and severity, classify the incident, and formally declare it β€” triggering the response process.
IOC identification Triage & severity Incident declaration
🟒
Containment Β· Eradication Β· Recovery
Isolate affected systems to stop spread (Containment), remove malware and close attack vectors (Eradication), then restore systems from clean backups and return to production (Recovery).
Isolate & preserve Remove & patch Restore & validate
🟣
Post-Incident Activity
Hold a lessons learned meeting within two weeks, document root cause and timeline, update IR procedures, report to management and regulators, and improve defenses based on findings.
Lessons learned Root cause analysis Regulatory reporting

⚑ NIST 800-61 vs PDRR β€” Two Frameworks Tested on CISSP

NIST 800-61
πŸ“‹
4-Phase Lifecycle
Current standard; Containment/Eradication/Recovery are one phase
PDRR Model
πŸ”„
Protect Β· Detect Β· Respond Β· Recover
Older model; maps closely to NIST phases
Key Difference
πŸ”
NIST separates Containment from Eradication
PDRR combines them under "Respond"
CISSP Exam
🎯
NIST 800-61 is primary
Know both; recognize both frameworks
πŸ’‘
Containment before Eradication β€” Always: Containment and Eradication are listed together in NIST 800-61 but they are sequential. You must contain first (stop the spread, preserve evidence) before eradicating (removing malware). Cleaning up malware on a system still connected to the network allows the attacker to re-infect immediately β€” and destroys forensic evidence. Contain β†’ Eradicate β†’ Recover, in that order.
How It Works

Inside Each IR Phase

Select a topic to explore phase details, evidence handling, and forensic principles.

πŸ”΄ Preparation
πŸ”΅ Detection
🟒 Contain/Eradicate
πŸ”¬ Evidence & Forensics

πŸ”΄ Preparation β€” Building the IR Capability Before Incidents Occur

Preparation is the most important phase β€” everything that determines how well an organization responds to an incident is built here. Poor preparation means slow, chaotic, and legally risky incident response.

1
Establish the CSIRT: Define team composition β€” who is on the Computer Security Incident Response Team, their roles, contact information, and escalation paths. Identify internal roles (security, legal, HR, IT) and external contacts (law enforcement, forensics vendors, insurance).
↓
2
Create the IR Policy and Plan: Document what constitutes an incident, classification severity levels (P1–P4), declaration criteria, communication trees, and authority to take systems offline. This must be approved by senior management.
↓
3
Deploy Detection Tools: SIEM (Security Information and Event Management), IDS/IPS, EDR (Endpoint Detection and Response), log aggregation, network monitoring. Ensure baseline behavior is established so anomalies can be detected.
↓
4
Prepare the Forensics Jump Kit: A pre-staged collection of tools used to respond to incidents β€” write blockers, forensic imaging software, hash calculators, chain of custody forms, bootable media, and evidence storage bags.
↓
5
Train and Exercise: Conduct tabletop exercises, phishing simulations, red team/blue team exercises. Teams that practice IR respond faster and make fewer costly mistakes during real incidents.

CSIRT β€” Who's on the Team and Why

πŸ”’ Security Analyst
Leads technical investigation. Performs forensic analysis, malware analysis, log review.
βš–οΈ Legal Counsel
Advises on evidence handling, law enforcement engagement, notification obligations, and liability.
πŸ‘₯ Human Resources
Involved when incident involves employee misconduct or insider threat; manages HR process.
πŸ’Ό Senior Management
Authorizes major containment actions (taking systems offline), approves public statements.
πŸ“’ Public Relations / Communications
Controls external messaging to media, customers, and partners. Manages reputational risk.
πŸ”§ IT Operations
Implements technical containment (firewall rules, isolation), restores systems from backup.
🎯
CISSP Exam Signal: "Who manages communications to the public during an incident?" β†’ Public Relations / Communications officer. "Who must authorize taking the entire network offline?" β†’ Senior management. "Who is involved when the incident involves an employee?" β†’ HR.

πŸ”΅ Detection & Analysis β€” Confirming and Scoping the Incident

The goal of this phase is to determine: Is this actually an incident? What type? How severe? How far has it spread? This analysis drives all subsequent response decisions.

1
Detect Indicators of Compromise (IOCs): Alerts from IDS/SIEM, unusual outbound connections, unexpected account logins, file hashes matching known malware, unusual process execution, failed authentication spikes.
↓
2
Initial Triage: Is this a true positive or false positive? Correlate multiple data sources (firewall logs, endpoint logs, SIEM alerts). Determine initial scope β€” one system? One subnet? Entire organization?
↓
3
Classify and Prioritize: Assign severity (Critical/High/Medium/Low or P1–P4). Prioritize based on: functional impact (business operations affected), informational impact (data compromised), and recoverability.
↓
4
Formally Declare the Incident: Complete the incident ticket, notify CSIRT members per the escalation matrix, begin the incident timeline documentation. From this point, all actions must be logged with timestamps.

Common Incident Categories (NIST 800-61)

Malware / Ransomware
Unauthorized software execution, file encryption, C2 beaconing
Unauthorized Access
Credential theft, privilege escalation, unauthorized data access
DoS / DDoS
Flooding attacks, service disruption, resource exhaustion
Data Breach / Exfiltration
Sensitive data accessed/copied/transmitted outside organization
Insider Threat
Malicious or negligent employee, contractor, or partner action
Phishing / Social Engineering
Credential harvesting, malicious attachment, BEC fraud

🟒 Containment β†’ Eradication β†’ Recovery

These three sub-phases must happen in strict order. Skipping Containment to jump to Eradication is one of the most dangerous mistakes in incident response.

STEP 1 β€” Containment: Stop the Spread

A
Short-term containment: Immediately isolate affected systems (disconnect from network, block traffic via firewall ACL) to prevent spread β€” while keeping systems powered on to preserve volatile evidence in RAM.
↓
B
Forensic evidence preservation: Before any changes are made β€” capture memory (RAM), take disk images, hash all evidence. This is the last chance to collect volatile data. Evidence collected here may be used in legal proceedings.
↓
C
Long-term containment: Implement temporary fixes (block malicious IPs, disable compromised accounts, patch critical vulnerability) to allow business to continue while full eradication is prepared.

STEP 2 β€” Eradication: Remove the Threat

A
Identify root cause: How did the attacker get in? What vulnerability was exploited? Were there other backdoors installed? Complete root cause analysis before cleaning β€” or the attacker re-enters immediately.
↓
B
Remove malware and close vectors: Delete malicious files, remove persistence mechanisms (registry keys, scheduled tasks, service entries), patch the exploited vulnerability, reset all compromised credentials.

STEP 3 β€” Recovery: Return to Production

A
Restore from known-good backup: Rebuild affected systems from clean baseline images or trusted backups. Verify backup integrity before restoration β€” a compromised backup re-infects the system.
↓
B
Enhanced monitoring: Return systems to production under heightened monitoring for at least 30 days. Confirm no reinfection or residual attacker presence before fully declaring the incident closed.
↓
C
Validate and declare recovery: Verify systems are clean, patched, and operating normally. Update stakeholders. Formally close the active incident record and transition to Post-Incident Activity.

πŸ”¬ Digital Forensics β€” Evidence Handling & Order of Volatility

Evidence must be collected in order from most volatile (data that disappears first when power is lost) to least volatile. Reversing this order destroys irreplaceable evidence.

Order of Volatility β€” Collect in This Sequence:

1
CPU Registers & Cache β€” Lost in nanoseconds if power is interrupted. Nearly impossible to capture in practice.
Most Volatile
2
RAM (Physical Memory) β€” Running processes, open network connections, encryption keys, logged-in users, clipboard contents. Lost when system is powered off. Capture first.
Capture FIRST
3
Network State β€” ARP cache, routing tables, active network connections, open sockets, firewall states. Lost when network interfaces change or system reboots.
Very Volatile
4
Running Processes β€” Active process list, process memory, parent/child relationships, opened file handles. Snapshot with process listing tools while system is live.
Volatile
5
Disk / Storage (HDD / SSD) β€” File system contents, deleted files (recoverable), registry hives, event logs, swap/page files. Persistent across reboots β€” capture after volatile items.
Persistent
6
Logs & Remote Logging / SIEM β€” Centralized syslog, SIEM events, application logs. May be retained per policy β€” but could be overwritten if retention limit is reached.
Semi-persistent
7
Backup Media / Archival β€” Backup tapes, cloud snapshots, archival storage. Least volatile β€” retained per backup policy, often available weeks or months after the incident.
Least Volatile

Chain of Custody β€” Maintaining Evidence Integrity

1
Identify and label evidence: Tag every piece of evidence with case number, date/time of collection, location, collector's name and signature. Use evidence bags for physical media.
↓
2
Create forensic image: Make a bit-for-bit copy of storage media using a write blocker to prevent any modification of the original. Calculate and record MD5 or SHA-256 hash of both original and image.
↓
3
Verify integrity: Recalculate hash after imaging. Original hash must match image hash β€” proving the copy is identical and unmodified. Mismatching hashes mean the evidence is tainted.
↓
4
Secure storage: Store original evidence in tamper-evident bags in a locked evidence room with restricted access. All access must be logged. Work only from forensic copies, never from originals.
↓
5
Document every transfer: Every time evidence changes hands β€” analyst to analyst, facility to court, lab to storage β€” document the transfer with signatures, date, time, and reason. Any gap in the chain makes evidence inadmissible.
🚨
Write Blocker is Mandatory: Connecting a suspect drive directly to an analysis system β€” even read-only β€” can modify access timestamps and metadata, tainting the evidence. A hardware write blocker sits between the evidence drive and the forensic workstation, allowing reads but blocking any writes. Without it, evidence may be inadmissible in court.

Legal Hold β€” When Not to Delete Logs

A legal hold (also called a litigation hold) is a directive to suspend normal data destruction processes β€” including log rotation, backup overwriting, and scheduled deletions β€” when litigation or a regulatory investigation is reasonably anticipated.

⚠️
CISSP Exam Trap: "The routine log rotation policy deleted 90-day-old logs during an active investigation." This is a failure β€” legal hold was not implemented. Once an incident is declared (especially if breach notification is likely), all potentially relevant data must be preserved, even if it contradicts normal retention schedules. Destroying evidence after a legal hold obligation arises may constitute spoliation β€” a serious legal violation.
Compare

IR Phase Comparison

All four NIST 800-61 phases across every CISSP-relevant dimension.

Criteria πŸ”΄ Preparation πŸ”΅ Detection & Analysis 🟒 Contain / Eradicate / Recover 🟣 Post-Incident
TimingPhase Basics Before any incident β€” ongoing During active incident β€” discovery phase During active incident β€” response phase After incident is closed
Primary GoalPhase Basics Build IR capability before incidents occur Confirm, scope, and classify the incident Stop spread, remove threat, restore operations Learn, improve, report, and update defenses
Key DeliverablePhase Basics IR policy, CSIRT roster, jump kit, trained team Incident ticket, severity classification, scope map Contained environment, clean systems, restored service Lessons learned report, updated procedures
PDRR EquivalentPhase Basics Protect Detect Respond Recover (with lessons)
Key ActionsKey Actions Form CSIRT, write IR policy, deploy SIEM/IDS, prepare jump kit, train team Review SIEM alerts, correlate logs, triage IOCs, classify severity, declare incident Isolate systems, preserve evidence (RAM/disk), remove malware, patch, restore backup Lessons learned meeting, root cause analysis, update IR plan, regulatory notifications
Evidence HandlingKey Actions Prepare forms, evidence bags, write blockers, forensic imaging tools Begin incident timeline documentation; do not alter systems Capture RAM first, disk image with write blocker, establish chain of custody Evidence preserved per legal hold; documented for potential prosecution
Who LeadsKey Actions CISO / Security Manager β€” strategic planning Security Analyst β€” technical investigation Incident Commander + IT Ops + Forensics CISO + Legal + Compliance β€” reporting
CISSP Exam SignalsExam Signals "CSIRT," "IR policy," "jump kit," "tabletop exercise," "training," "playbook," "before the incident" "IOC," "SIEM alert," "triage," "classify severity," "false positive," "incident declaration," "scope" "isolate," "contain," "preserve evidence," "root cause," "eradicate malware," "restore from backup," "patch" "lessons learned," "post-mortem," "root cause report," "update procedures," "regulatory notification," "after the incident"
Common Exam TrapExam Signals Skipping preparation β€” assuming IR can be improvised during an incident Skipping to containment before confirming scope β€” may miss other compromised systems Eradicating before containing β€” attacker can re-infect; evidence destroyed Skipping lessons learned β€” NIST 800-61 requires it; not optional
Real Examples

IR Scenarios

Six scenarios modeled directly on CISSP exam question formats.

πŸ”΄ Forensic Evidence β€” RAM Capture During Active Ransomware β–Ό
Scenario: A responder arrives at a workstation that has been encrypted by ransomware. The ransom note is visible on screen. The system is still powered on and connected to the network.

Correct first action: Capture RAM before disconnecting the system. RAM contains the ransomware's encryption key (in many ransomware variants, especially older ones), running process list, open network connections (C2 server IP), and registry hives mapped into memory. Once the system is powered off, all of this is gone permanently.

Sequence: (1) Capture RAM using live forensics tool (e.g., Magnet RAM Capture, DumpIt). (2) Document network connections (netstat -an). (3) Disconnect from network (containment). (4) Image the disk with a write blocker. (5) Calculate hashes to verify integrity.

What NOT to do: Do NOT shut down or restart the system immediately β€” this destroys volatile evidence. Do NOT run antivirus scan on the live system β€” this modifies timestamps and may destroy evidence.

CISSP note: "What is the first step when responding to a live system?" = capture volatile data (RAM). Always follow order of volatility: most volatile first.
πŸ”΅ Chain of Custody β€” Disk Image Integrity β–Ό
Scenario: A forensic investigator uses a hardware write blocker to create a bit-for-bit image of a suspect hard drive. She calculates an MD5 hash of the original drive: a3f5b2c1.... After imaging, she calculates the MD5 hash of the forensic image: a3f5b2c1.... The hashes match.

What this proves: The forensic image is an exact, unmodified copy of the original drive. No data was added, removed, or altered during the imaging process. The image can be used for analysis without touching the original evidence.

What happens in court: The investigator can testify that the image is a verified exact copy of the original. The matching hashes are the technical proof. Any analysis performed on the image carries the same evidentiary weight as analysis on the original β€” without risking contamination of the original.

Why the write blocker matters: Even a read-only filesystem mount can update file access timestamps. A hardware write blocker is an electronic device that allows the forensic workstation to read from the evidence drive while physically preventing any write commands from reaching it.

CISSP note: Three elements for admissible digital evidence: (1) Collected without modification (write blocker), (2) Integrity verified (matching hashes), (3) Unbroken chain of custody (documented handoffs).
🟒 Containment Strategy β€” Isolated vs. Coordinated Response β–Ό
Scenario: An IR team discovers that an APT (Advanced Persistent Threat) actor has been in the network for 6 months. They have identified 12 compromised hosts but suspect there may be more. The attacker appears to be in the exfiltration phase β€” data is being sent to an external IP.

Containment dilemma: Immediately isolating the 12 known hosts might alert the attacker, who could destroy evidence, activate additional malware, or shift to other compromised systems not yet discovered. A coordinated containment approach β€” isolating all known hosts simultaneously on a set day β€” prevents the attacker from reacting.

Two containment strategies:
β€’ Immediate containment: Disconnect now. Stops active exfiltration but risks tipping off the attacker if uncoordinated.
β€’ Coordinated containment: Continue monitoring covertly while identifying all compromised systems, then isolate all simultaneously. Better for APT scenarios.

Legal/management consideration: Continued monitoring of ongoing attacker activity may require legal authorization. Senior management and legal counsel must approve.

CISSP note: Containment strategy (immediate vs. phased/coordinated) is a judgment call based on: risk of evidence destruction, risk of attacker escalation, completeness of compromise knowledge, and legal constraints.
🟣 Post-Incident β€” Lessons Learned & Regulatory Notification β–Ό
Scenario: A healthcare company experiences a ransomware attack that encrypted 50,000 patient records for 4 days. The incident is resolved. The CISO declares the incident closed and moves on without conducting a formal lessons learned meeting β€” the team is exhausted and the systems are running again.

What went wrong: NIST 800-61 requires a lessons learned meeting within approximately two weeks of major incidents. This is not optional. Additionally, under HIPAA, the organization must report a breach affecting 500+ individuals to HHS (Department of Health and Human Services) within 60 days of discovery, and notify affected individuals. Failing to do so is a regulatory violation.

Lessons learned meeting should cover:
β€’ Exact timeline of the incident (how did it start, how was it detected, how long did each phase take?)
β€’ Root cause analysis (what vulnerability was exploited?)
β€’ What the IR plan got right and what it got wrong
β€’ What needs to change in tools, training, or procedures
β€’ Cost and impact assessment

CISSP note: Post-incident is mandatory, not optional. Know key notification timelines: GDPR = 72 hours to supervisory authority; HIPAA = 60 days to HHS; PCI DSS = immediately to card brands. Failure to notify may be a separate violation from the breach itself.
πŸ”΅ Legal Hold β€” When Log Rotation Becomes Evidence Destruction β–Ό
Scenario: A company discovers a data breach. Their standard policy rotates and deletes logs older than 90 days. On day 92 after the breach began (but during the active investigation), the automated log rotation process deletes the logs containing the initial intrusion evidence.

What should have happened: The moment an incident is declared β€” particularly one that may involve litigation, law enforcement, or regulatory notification β€” a legal hold must be issued to suspend all normal data destruction processes, including log rotation, backup overwriting, and scheduled file deletions.

Legal consequences: Deleting evidence after a legal hold obligation has arisen is called spoliation of evidence. Courts can impose adverse inference instructions (telling the jury to assume the destroyed evidence was damaging to the party that destroyed it), sanctions, or default judgments. Even if the deletion was automated and unintentional, the organization may be held responsible if the legal hold was not properly implemented.

CISSP note: Legal hold triggers when litigation or investigation is reasonably anticipated β€” not just when a lawsuit is filed. Implement legal hold immediately upon incident declaration for significant incidents.
🟒 Eradication Failure β€” Reinfection from Incomplete Cleanup β–Ό
Scenario: After a malware infection, an IT team runs antivirus on the affected system, quarantines the detected files, and reconnects the system to the network β€” declaring the incident resolved. Three days later, the same malware reappears on the same system and has spread to two additional machines.

What went wrong β€” three failures:
1. Incomplete root cause analysis: The team removed the detected malware payload but didn't identify how it entered (phishing email β†’ macro β†’ dropper β†’ backdoor). The attacker retained access via a secondary backdoor not detected by AV.
2. Antivirus is insufficient for eradication: Modern malware uses persistence mechanisms (scheduled tasks, registry run keys, WMI subscriptions, service installations) that survive antivirus quarantine. Full eradication requires reimaging the system from a known-clean baseline.
3. No enhanced monitoring after recovery: NIST 800-61 recommends heightened monitoring after returning systems to production. The reinfection would have been caught earlier with proper monitoring.

CISSP note: Reimaging (wiping and reinstalling from a clean baseline) is always more reliable than cleaning. For significant compromises, reimage rather than attempt to clean. Cleaning leaves residual risk.
Practice Quiz

10 CISSP-Style IR Questions

Scenario-based items modeled on real exam format. Each question maps to a specific IR phase or forensic concept.

Question 1 of 10
QUESTION 1
Score: 0/0
0
/ 10
Decision Tool

Which IR Phase Are You In?

Answer 3 questions to identify the correct NIST 800-61 phase and recommended next action.

Has a security incident been detected and confirmed yet?
An incident has been formally declared β€” there is evidence that a system, network, or data has been compromised, and it has been classified as a true positive.
πŸ”΄
No β€” no active incident; building or maintaining readiness
Developing policies, deploying tools, training team, preparing jump kit
➑️
Yes β€” an incident has been declared or is suspected
Active response in progress β€” need to determine current phase
Has the incident been contained β€” are affected systems isolated and is the spread stopped?
Containment means the threat is no longer spreading. Affected systems are isolated from the network and volatile evidence (RAM) has been preserved.
πŸ”΅
No β€” still analyzing, scoping, or the threat is still active/spreading
Need to finish detection & analysis, then move to containment
➑️
Yes β€” threat is contained, evidence preserved, spread stopped
Ready to move into eradication and recovery
Have all systems been cleaned, patched, and restored to verified production state?
Eradication means all malware removed and attack vectors closed. Recovery means systems are validated and back in production under enhanced monitoring.
🟒
No β€” still removing malware, patching, or restoring systems
Active eradication and/or recovery in progress
🟣
Yes β€” systems restored and validated; incident operationally closed
Ready for post-incident activity: lessons learned and reporting
Memory Hooks

Mnemonics & Exam Memory Tricks

Click each card to flip and reveal the mnemonic.

πŸ”΄
Preparation
Click to reveal
"Build the
Fire Station
Before the Fire"
Preparation = everything built before an incident. Team, policy, tools, training. Can't improvise a CSIRT during a breach.
πŸ”΅
Detection & Analysis
Click to reveal
"Confirm,
Scope,
Classify"
Detection = Is this real? How bad? How wide? Confirm it's not a false positive. Scope all affected systems. Classify severity before responding.
🟒
Contain / Eradicate / Recover
Click to reveal
"Stop Β· Remove
Β· Restore"
Stop the spread first (Contain). Then Remove the threat (Eradicate). Then Restore clean systems (Recover). Never skip Contain β€” or you clean a house with open doors.
🟣
Post-Incident
Click to reveal
"Learn,
Report,
Improve"
Post-Incident = mandatory, not optional. Lessons learned meeting. Root cause report. Regulatory notifications. Update the IR plan so next incident goes better.

🎯 The Ultimate IR Exam Cheat Sheet

If the question says…Think…Answer
"CSIRT," "IR policy," "jump kit," "tabletop," "before an incident," "playbook," "train the team"πŸ”΄ Building the fire stationPreparation
"IOC," "SIEM alert," "triage," "false positive," "classify severity," "scope the incident," "declare"πŸ”΅ Confirm, scope, classifyDetection & Analysis
"isolate system," "preserve evidence," "eradicate malware," "patch," "restore from backup," "reimage"🟒 Stop · Remove · RestoreContainment / Eradication / Recovery
"lessons learned," "root cause," "post-mortem," "update IR plan," "notify regulator," "after the incident"🟣 Learn, report, improvePost-Incident Activity
"first action on live system," "what to collect first," "most volatile data"RAM disappears on power-offCapture RAM first (Order of Volatility)
"write blocker," "hash verification," "bit-for-bit copy," "admissible evidence"Evidence integrity = matching hashes + write blockerChain of Custody / Forensic Imaging
"do not delete logs," "suspend log rotation," "preserve data for investigation"Destroying evidence after litigation reasonably anticipated = spoliationLegal Hold
"who handles media communications during incident"PR/Communications officer β€” not the security analystPublic Relations / Communications
"who authorizes taking the entire network offline"Major business decision = needs executive authoritySenior Management
"GDPR breach notification timeline"72 hours to supervisory authority72 hours (GDPR Art. 33)
"HIPAA breach notification timeline"60 days to HHS (500+ individuals)60 days to HHS / 60 days to individuals
🚨
The Four Most-Failed IR Questions:

1. Capture RAM before disconnecting β€” always. RAM holds encryption keys, active connections, and running processes. The moment a system is powered off, all volatile data is gone. On a live system, collect RAM before anything else.

2. Containment before Eradication β€” always. Cleaning malware from a system still connected to the network is pointless β€” the attacker re-infects immediately. And cleaning destroys forensic evidence. Contain first (isolate), then eradicate.

3. Post-Incident Lessons Learned is mandatory. NIST 800-61 requires a lessons learned meeting after significant incidents. "The team was too tired" is not a valid reason to skip it. It updates the IR plan and closes the feedback loop.

4. Legal hold suspends ALL data destruction β€” including automated processes. Log rotation, backup overwriting, and scheduled deletions must all be paused when an incident may lead to litigation or regulatory action. Failure to implement legal hold can result in spoliation charges.
πŸŽ“ CISSP Exam Prep Platform

Ready to Pass the CISSP?
Get Everything You Need in One Place.

These infographics are just the start. FlashGenius gives you a complete CISSP prep toolkit β€” practice tests, flashcard decks, cheat sheets, and domain quizzes built for how security professionals actually learn.

🎯 Practice Tests
πŸƒ Flashcard Decks
πŸ“„ Cheat Sheets
πŸ“Š Domain Quizzes
🧠 Memory Hooks
πŸ“š Study Guides
πŸš€ Start Free on FlashGenius View All CISSP Resources β†’
Free to register Β· No credit card required Β· Trusted by CISSP candidates