Which practice supports evidence gathering by recording incident handling information?

Capturing and preserving incident information relies on keeping a reliable record of what happened. Backing up log files provides a centralized, time-stamped trail of events, alerts, access attempts, and actions taken by both the attackers and the responders. This record is essential for reconstructing the sequence of events, understanding the scope of the incident, and maintaining a clear history for review or legal purposes. By safeguarding these logs, you ensure evidence remains available even if the original systems are compromised or destroyed, supporting a credible investigation and proper chain of custody. Disk imaging or exact copies of storage, while useful for deep forensic analysis, focus on collecting the data state rather than documenting the ongoing handling actions, and restoration of systems targets recovery rather than evidence recording.