Here is list of interview questions compiled by Libby - my Computer Forensics study partner. I've added a few more towards the end. They were sourced from questions posted on websites and questions asked in interviews. Feel free to add more questions and/or any tips for answering in the Comments section.
From my limited (entry-level) interview experience, it seems that character related questions are just as, if not more important as the technical ones. Having an encyclopaedic technical knowledge is probably less important than showing that you can work effectively with others (ie the interviewers). Showing a willingness/capability to learn independently and communicate ideas is also important. I also think that while you should be on your best behaviour (so-to-speak), you should also be YOURSELF. The interviewers will find out one way or another if you are acting. Speaking of which, it can't hurt to get some background on the interviewers (eg read their LinkedIn page, their company profile). If you have something in common, you might like to mention it during the interview (in a completely non-stalker way of course!) so as to build a rapport/be more memorable.
- Describe the different file systems? FAT 12, FAT 16, FAT 32, NTFS
- Describe the Windows operating systems?
- What imaging tools and techniques are you familiar with?
- What is the basic command line syntax for dd or dcfldd? What are the differences between the two?
- Describe the steps to image a laptop with a bootable forensic cd?
- What are some options to write block a drive before imaging or previewing?
- What are two ways to do a network acquisition using Helix? List hardware and software required for each method.
- What is the bare minimum equipment needed to image a desktop?
- What is an MD5 checksum and how is it used in forensics?
- What are some other hashing algorithms besides MD5?
- What is a .ISO?
- What is a bit level image and how is that different from an ISO?
- What is the SAM file? Which operating system has it?
- What is data carving?
- What is live previewing of a system?
- How would you image a hard drive on a system that cannot be shut down?
- If a file is labeled .tar.gz what is it and why is it in .tar.gz format?
- Describe the chain of custody in detail?
- How would you be able to tell at the hex level that a file has been deleted in FAT 12?
- How would you go about imaging a network without taking it down?
- What is metadata? What is affected by it? What attributes does it represent?
- Why is it important to sanitize your analysis media?
- You have an IDE drive and it is not reading. Why is this?
- Describe the difference between wiping and formatting drives?
- How many timestamps are there in NTFS and what are they?
- Does the registry have any timestamps?
- What is the ntuser.dat file?
- What do the MRU keys tell you in the registry?
- What is a three way handshake in TCP/IP?
- How does TCP differ from UDP?
- What would I bring to the position?
- What are the steps when taking a computer from the home?
- What is the step by step procedure after receiving a hard drive which contains child pornography?
- Someone willingly brings their computer in for some minor offense. After imaging, it is returned to the person. During the examination child pornography is found, what do you do?
- What is slack space?
- What is unallocated space?
- What are bits, bytes, nibbles and clusters?
- What is the hex value for a deleted file or directory in FAT systems?
- What is the hex value for a directory?
- How to calculate disk capacity?
- What is volatile data?
- What happens when a disk is formatted?
- What is the numeric base system for hexadecimal, decimal, octal and binary?
- What motivates you?
- What are some challenges to computer forensics in the future?
- Tell us about a time you faced a (technical) challenge and how you overcame it?
- Give us an example of when you worked independently/within a team to meet a deadline?
- Have you ever communicated technical concepts to a non-technical audience?
- What brought you to this point in your career?
- What do you know about our industry? Our organisation?
- How can you help us? eg What skills do you have?
- What are your career plans for the next 3 and 5 years?
- What are your strengths/weaknesses?
- Do you have any other interests/hobbies?
And here are some questions candidates might like to ask the interviewers ...
- Where would I fit into the team? How big is the team? What is the experience level of the team?
- What is the technical environment like? What tools/storage/hardware do you use?
- What upcoming projects will I be involved in?
- How is training organised?
- What are the typical working hours/travel requirements?
And here are some websites chock full of forensicky advice goodness for the newbie ...
"What makes a good forensicator? or how to get a job in Digital Forensics..."
(*GRATUITOUS NAMEDROP* Written by Mike Wilkinson - one of my previous Lecturers :)
Corey Harrell blogs about entry into Computer Forensics
Harlan Carvey blogs about entry into Computer Forensics
ForensicFocus Job Seeking Advice by Joe Alonzo
Magazine Article on Digital Forensics in Australia
Eric Huber Interviews Detective Cindy Murphy (Law Enforcement)