What is the practice of identifying infected systems by looking for evidence of recent infections?

Forensic identification refers to the systematic process of analyzing systems to find traces or evidence of prior intrusions or infections. This practice involves scrutinizing system logs, file structures, or changes in system configurations to uncover indicators of compromise. Forensic identification is thorough and often utilizes tools and methodologies to piece together how the infection occurred, when it took place, and the extent of the damage.

This approach is critical in incident response as it helps security professionals understand the tactics, techniques, and procedures used by attackers. By collecting and analyzing this evidence, responders can ascertain whether an active threat still exists and what measures need to be implemented to mitigate future risks.

In contrast, the other options do not fully encapsulate this investigative depth. Active identification would typically emphasize ongoing monitoring or detection in real-time rather than the retrospective analysis provided in forensic identification. Manual identification might imply a non-systematic, labor-intensive approach to finding infections, while passive identification focuses on monitoring without taking direct action or analysis, which doesn't necessarily involve looking for evidence of past infections.