Forensics vs Incident Recovery

• Goal

  • Incident recovery - Restoration and prevention
  • Forensics - Evidence preservation and legal action

• Attitude

  • Incident recovery - Fix as quick as possible
  • Forensics - Cover and document all details

• End Product

  • Incident recovery - Normal operation
  • Forensics - Sets of documents and evidence

• While these do not agree, they do not have to conflict antagonistically if approached right!

• Incident recovery / response plans should account for Forensic investigations

Notes: