RS.AN-3: Performing Incident Forensics (NIST Cybersecurity Framework)
Incident forensics are your organization's window into what happened during a security breach. RS.AN-3 requires you to perform forensic analysis on confirmed or suspected incidents to understand attack vectors, scope, and impact. Without forensic capabilities, you're flying blind during your most critical moments.
What this means
RS.AN-3 mandates that your organization conduct thorough forensic investigations whenever a security incident occurs. This means preserving evidence, analyzing system logs and artifacts, identifying the root cause, determining how long the attacker had access, and documenting what data or systems were compromised. Forensics transform incident response from reactive firefighting into investigative work that strengthens your defenses and supports legal action if needed.
How to comply
- 1.Establish a forensic investigation process that activates immediately upon incident detection, before systems are shut down or evidence is lost
- 2.Preserve evidence using write-blocking tools and isolated storage to maintain chain of custody for potential legal proceedings
- 3.Collect and analyze logs from firewalls, endpoints, servers, and applications to reconstruct the incident timeline
- 4.Examine affected systems for indicators of compromise, malware artifacts, and attacker lateral movement patterns
- 5.Document findings including attack vectors, compromised accounts, accessed data, dwell time, and blast radius
- 6.Train staff on forensic procedures or establish relationships with external forensic specialists for complex incidents
- 7.Retain forensic data and reports for compliance audits and post-incident review
Evidence auditors look for
- Documented incident response and forensics procedures with forensic analysis workflows
- Forensic investigation reports for past incidents showing evidence collection and analysis
- Log retention and preservation policies covering required retention periods
- Incident management tickets demonstrating forensic analysis was performed
- Chain of custody documentation for preserved evidence
- Contracts or service agreements with external forensic firms (if applicable)
- Training records for staff performing forensic analysis
- Timeline reconstructions showing how incidents were analyzed
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically collects and organizes forensic-relevant logs across your infrastructure, preserves evidence with audit trails, and generates incident forensics reports that map directly to RS.AN-3 requirements—turning hours of manual log hunting into minutes.
See how GRCWatch handles this control automatically
Start free trial