In incident response, which step focuses on recording actions and evidence?

The main concept here is capturing and preserving actions and evidence during an incident. Recording and preserving what happened, who did what, when it occurred, and what evidence exists is essential for an accurate timeline and for maintaining the chain of custody in forensic analysis. This documentation provides a defensible trail for investigations, supports legal and regulatory needs, and serves as the foundation for later lessons learned. Debrief is about reviewing what happened after containment and recovery to identify improvements, not the act of recording evidentiary steps. Contain focuses on stopping the incident from spreading, and Notify is about informing stakeholders. Because the goal is to systematically record actions and preserve evidence, documenting is the appropriate step.