Forensics is the disciplined collection, preservation, and analysis of evidence to understand what happened during a security event.
Forensics is the disciplined collection, preservation, and analysis of evidence to understand what happened during a security event. In plain language, it is the careful evidence work that helps responders reconstruct events instead of guessing.
Forensics matters because security decisions are better when they are based on evidence. Teams need to know what systems were affected, what actions occurred, what data may have been touched, and how the incident unfolded over time.
It also matters because evidence may later support legal, regulatory, insurance, or internal review needs. If evidence is handled poorly, important facts can be lost or become harder to trust.
Forensics appears in endpoint investigations, cloud activity review, log analysis, insider-activity cases, and major incident handling. Teams connect it to Evidence Preservation, Chain of Custody, Indicators of Compromise, Audit Log, and Root Cause Analysis.
Forensics helps teams understand not only whether an alert was real, but also how broad the impact was and what should be done next.
After suspicious administrator activity is detected, responders collect and review identity logs, endpoint telemetry, and system timestamps to determine when access began, what accounts were involved, and which systems were touched before containment.
Forensics is not the same as immediate containment. Containment focuses on limiting ongoing harm. Forensics focuses on preserving and analyzing evidence so the organization can understand the event accurately.
It is also different from casual troubleshooting. Troubleshooting asks how to restore function. Forensics asks what happened, when it happened, and what evidence supports that conclusion.