You receive a potentially compromised Windows workstation that was flagged for suspicious outbound connections to a known command-and-control server. Walk me through your complete forensic analysis process from evidence acquisition to final reporting.

Sample answer preview

Investigating a compromised workstation communicating with a known C2 server requires a methodical, end-to-end forensic approach. Here is how I would conduct this investigation from start to finish. The first phase is preparation and evidence acquisition.