1. (2)
   Network connections are volatile because the attacker's device is likely to be removed from the network on detection. Volatile data is characterized by data that can be changed or removed by factors outside of the investigator's control (for example, time or actions by other entities).
   The operating system time is volatile because it can be synchronized using NTP. If there was a discrepancy between system time and the NTP time, this discrepancy would be invisible to the investigator once it was re-synchronized.
   Paging files are not cleared when the process is ended; they simply go to unallocated. They are cleared when a new process requires that paging file and writes data to it.
   Network configuration can also be volatile. This is particularly true if DHCP is used.
   The CSIRT needs to send some of the failed hard drives to be destroyed. They choose to use a courier, but a road traffic accident leads to the hard drive containing the data being lost in transit.
2. (2)
   The Asset: M - Disk Drive | Actor: Partner | Action: Error, Loss characterization is the best characterization of this incident. There is no evidence that the hard drive was stolen (intentionally by an external body), nor that physical damage was caused to the asset. The action must relate back to the asset; the accident involved the courier, and not the hard drive.
   The disk drive didn't arrive at the disposal company, so this is not a disposal error.
3. (1)
   Confidentiality also encompasses the notion of loss of possession, and is included on all lost assets. Availability is also affected because the employee no longer has access to that asset for as long as it takes to be replaced.
   There is nothing to suggest that integrity has been affected.
4. (4)
   This new data means that the incident can be updated with Confidentiality: .DataDisclosure: Yes/.Data.Variety: Credentials and Internal. There is no indication in the scenario that trade secrets were exposed, nor any personally identifiable data.

5. (2)
   The incident handling team would move into the remediation phase. The effects of laptop theft would have been contained by the remote wipe, and changing the passwords will contain the effects of the diary loss. The remediation phase will not be complete until the employee has a replacement laptop (to fix the availability issue). Some hardening (for example, re-education about credential storage) and reporting may have already occurred, but the organizational-level changes will not be completed until after remediation.
6. (1)
   There is no evidential value remaining on the laptop. The forensic evidence that links the threat actor to the incident will have already been found for the police authorities to arrest and charge this individual. Any volatile evidence will be gone and any files are likely to have been destroyed via the remote wipe.
7. (2)
   The correct actor designation would be Actor: External: .Motive: .Grudge/.Variety: Former employee. If an employee resigns or is let go before the incident, the correct designation should be External | Former employee.
   The NA motive is only used when the action is considered unintentional.
8. (1)
   The impact of this incident was felt on confidentiality only. The integrity of the data within the organization hasn't been affected; the customer data dump is a copy, and no evidence is presented to say that it has been tampered with.
   The availability of the data is not affected for legitimate users.
9. (4)
   Communication with customers and advising them to change passwords would be an appropriate remedial action. Blocking credit card numbers shouldn't be required, as the credit-card numbers were incomplete and no authorization information (PINs, CVV, and so on) was included. Communication with customers to advise them to look out for fraudulent transactions would be enough to mitigate the risk from the card details.
   Ensuring that user accounts get disabled promptly, and that encrypted files can be inspected, are examples of lesson-based hardening activities.
10. (2)
    The Network Traffic Logs are the priority for evidence collection. The running processes and the contents of the memory are likely to be irrelevant due to their volatility and the time that has passed since the data actually left the system.
    The encrypted files from the TCP stream are no good to the investigators unless they can decrypt them. There is no evidence to suggest that they have the private key for this.