In incident handling, which activity gathers facts?

• A. Containment.
• B. Documentation.
• C. Investigation.
• D. Analysis.

Answer: (C)

Gaining factual information during an incident is the investigation phase. This step focuses on collecting evidence from systems, logs, and people, asking what happened, when it happened, how it occurred, and who was involved. It includes interviewing staff, preserving the chain of custody for any evidence, and documenting observations to build a solid factual basis for decisions and further analysis. Containment aims to stop the incident and limit damage, not to gather facts. Documentation records what happened and what actions were taken, but its purpose is to capture information rather than actively discover root facts. Analysis then uses the collected facts to interpret and determine root causes and impact. So, the activity that gathers facts is investigation.