Which statement best defines forensics in information security?

• A. The process of erasing data securely to prevent recovery.
• B. The practice of monitoring live network traffic for anomalies.
• C. The application of investigative tools and analysis techniques to gather evidence from computer resources to determine the cause of data compromises.
• D. The routine creation of forensic reports for legal cases.

Answer: (C)

Forensics in information security is about using specialized investigative tools and analysis techniques to collect and examine evidence from computer systems so you can determine how a data compromise happened, what was involved, and the sequence of events. It focuses on preserving the integrity of evidence (chain of custody) and reconstructing the incident with artifacts like log files, disk images, memory captures, and network traces to explain the root cause and impact. This distinguishes it from actions like securely erasing data, which prevents recovery, or monitoring live network traffic, which is focused on real-time detection. While producing forensic reports is a common outcome, the core practice is the careful gathering and analysis of artifacts to determine what occurred.