Option A is the best answer because the problem described is a failure to detect the attack in time , which points most directly to a lapse in the SOC’s continuous monitoring and analysis function. CHFI v11 explicitly includes the Role of SOC in Computer Forensics , centralized logging using SIEM solutions , incident detection and examination with SIEM tools , and the analysis of network and log data to identify attacks and suspicious behavior.

A SOC’s first-line defensive role depends heavily on ongoing visibility into the environment, including network traffic, logs, alerts, and correlations that can reveal malicious activity before major damage occurs. If the attack was only discovered after significant loss, the most likely overlooked function was not primarily evidence preservation or post-incident investigation, but timely monitoring and analysis .

Preserving evidence and maintaining logs are important forensic responsibilities, and the SOC may contribute to investigations, but those do not most directly explain the initial detection failure described in the scenario. Therefore, under CHFI’s view of the SOC as part of forensic readiness and incident detection, the strongest answer is continuous monitoring and analysis of network activity .