Which role recovers key artifacts and evidence from the network and uses them to build a timeline of events to understand what happened?

This task is about digital forensics: recovering artifacts and evidence from networks and devices, preserving them, and using that data to reconstruct the sequence of events to understand what happened. The role that fits this best is the forensic analyst. They collect artifacts such as logs, network captures, memory dumps, and disk images from endpoints and network gear, ensure proper chain of custody, and analyze the artifacts to map out when actions occurred, how an attacker moved through the environment, and what impact the incident had. This timeline construction is essential for understanding the incident's scope and guiding effective remediation.

A triage analyst focuses on rapid assessment to determine priority, scope, and initial containment actions. They may gather some indicators of compromise but aren’t typically responsible for deep evidence collection or building a detailed event timeline. A walkthrough and a checklist describe processes or steps used during assessments rather than defining a role that performs forensic analysis.