What is NOT a step in the recovery stage of incident handling?

In the context of the recovery stage of incident handling, the focus is primarily on restoring operations after an incident has occurred and ensuring that systems are secure and operational again. The correct choice identifies a step that is not typically involved in this phase.

Typically, the recovery stage involves actions such as rebuilding the system by installing a new operating system, examining security patches and logs to assess vulnerabilities, and restoring user data from trusted backups to ensure that the system is back to normal functioning. These activities are essential to ensure that the system is not just operational, but also secure against future incidents.

On the other hand, extracting static evidence, which consists of gathering and preserving any forensic data or artifacts that can be analyzed for incident investigation, is generally part of the investigation or analysis stages, not the recovery stage. The primary goal during recovery is to restore the system and its data to a safe and functional state, not to extract evidence for probing what happened during the incident.