Forensics is the disciplined collection, preservation, and analysis of evidence to understand what happened during a security event.
Forensics is the disciplined collection, preservation, and analysis of evidence to understand what happened during a security event. In plain language, it is the careful evidence work that helps responders reconstruct events instead of guessing.
Forensics matters because security decisions are better when they are based on evidence. Teams need to know what systems were affected, what actions occurred, what data may have been touched, and how the incident unfolded over time.
It also matters because evidence may later support legal, regulatory, insurance, or internal review needs. If evidence is handled poorly, important facts can be lost or become harder to trust.
Forensics appears in endpoint investigations, cloud activity review, log analysis, insider-activity cases, and major incident handling. Teams connect it to Evidence Preservation, Chain of Custody, Indicators of Compromise, Audit Log, and Root Cause Analysis.
| Question | Why it matters |
|---|---|
| What happened? | Establishes the factual narrative |
| When did it happen? | Helps define scope and sequence |
| What was affected? | Supports containment and business impact decisions |
| What evidence supports the conclusion? | Improves trust in the findings |
A responder reviewing suspicious administrator activity collects identity logs, endpoint telemetry, and system timestamps to determine when access began, what accounts were involved, and which systems were touched before containment.
Forensics is not the same as immediate containment. Containment focuses on limiting ongoing harm. Forensics focuses on preserving and analyzing evidence so the organization can understand the event accurately.
It is also different from casual troubleshooting. Troubleshooting asks how to restore function. Forensics asks what happened, when it happened, and what evidence supports that conclusion.