Cyber Unpacked // Are you DF, IR, or both? Navigating the overlap between forensics and incident response

Digital forensics and incident response often overlap in practice but differ in intent: DF emphasizes preservation and prosecutorial defensibility, while IR prioritizes speed, containment, and recovery. For private sector responders, knowing when to apply forensic rigor during an incident can mean the difference between resilience and regulatory fallout. This session examines the ongoing tension between rapid response and evidentiary integrity, illustrating how gaps in preservation can affect investigative outcomes, compliance obligations, and post-incident accountability. Join Doug Metz and special guest Brett Shavers as they explore the trade-offs between containment and preservation, highlight situations where forensic soundness is essential, and provide a framework for deciding when “good enough IR” isn’t enough. Attendees will leave with practical strategies for balancing IR speed with forensic defensibility in corporate environments.