According to CompTIA there are four phases in an incident response plan:
Preparation
Detection and analysis
Containment, eradication and recovery
Post-event activity
During this phase an analyst should save any evidence so it can be referenced later. This could be for legal reasons or as examples of previous attacks to shore up internal security measures and processes.