According to CompTIA there are four phases in an incident response plan:
Detection and analysis
Containment, eradication and recovery
During this phase an analyst should save any evidence so it can be referenced later. This could be for legal reasons or as examples of previous attacks to shore up internal security measures and processes.