In the aftermath of a security breach, forensic investigators rely on theAccountingportion ofAAA (Authentication, Authorization, and Accounting)to reconstruct a timeline of events. While Authentication verifies identity and Authorization defines permissions, Accounting is the specific framework used to track user activity, including login/logout times and the specific commands executed during a session.

According to Cisco Security Infrastructure design objectives, implementing a centralized AAA solution (such asCisco Identity Services Engine (ISE)or a TACACS+/RADIUS server) is critical for accountability. In this scenario, the engineer would query the AAA logs to identify exactly "who" accessed the sales system during the compromise period.SNMP(Option A) is primarily for network monitoring and performance data, not granular user access logs.NACM(Option B) is an access control model for NETCONF but doesn't provide the broad auditing required here.PKI(Option D) provides the certificates used for digital signatures and encryption but does not log the historical "session" data needed for the investigation. Therefore, AAA is the fundamental architectural requirement for ensuring non-repudiation and providing the audit trail necessary to satisfy risk management and incident response requirements.

========