Question

at what phase of a security incident response should evidence be collected?

preparation

detection and analysis

containment and eradication

post - incident recovery

Explanation:

In security incident response, during the Detection and Analysis phase, the incident is identified, and evidence related to the incident (like logs, system states) is collected to understand what happened. Preparation is about getting ready, Containment/Eradication is about stopping the incident, and Post - incident Recovery is about restoring systems. So evidence collection occurs in Detection and Analysis.

Answer:

B. Detection and Analysis (assuming the options are labeled A - D with A: Preparation, B: Detection and Analysis, C: Containment and Eradication, D: Post - incident Recovery)