Which process is NOT part of the investigation stage?

The investigation stage in incident handling primarily focuses on the processes that facilitate the collection and analysis of evidence related to the security incident. Each of the processes commonly associated with this stage is critical in ensuring that the investigation is thorough and that the evidence collected can uphold scrutiny in both legal and technical assessments.

Documenting and reporting, while essential for maintaining records of the investigation and communicating findings to stakeholders, is not a direct part of the procedural activities focused on the evidence itself. Instead, it is typically classified as part of the follow-up or resolution stage, where the findings are compiled, analyzed, and presented after the evidence has been collected and assessed.

Conversely, collecting the evidence, data acquisition, and search and seizure are all integral to the initial investigative activities. Collecting evidence involves gathering the physical or digital artifacts that are relevant to the incident. Data acquisition encompasses the methods used to gather this data in a way that preserves its integrity. Search and seizure often relates to the legal and procedural methods used to obtain the evidence necessary for the investigation. Thus, these activities are foundational components of the investigation stage, while documenting and reporting falls into subsequent processes.