In terms of supporting a forensic investigation, it is now imperative that managers, first-responders, etc., accomplish the following actions to the computer under investigation:
A.
Secure the area and shut-down the computer until investigators arrive
B.
Secure the area and attempt to maintain power until investigators arrive
C.
Immediately place hard drive and other components in an anti-static bag
Maintaining power ensures volatile memory (RAM) data is preserved, which can contain critical forensic evidence such as running processes and network connections.
Securing the area prevents tampering or unauthorized access, preserving the integrity of evidence.
Why Other Options Are Incorrect:
A. Shut-down the computer: Shutting down can result in loss of volatile data critical to the investigation.
C. Place components in anti-static bags: Prematurely removing hardware disrupts the state of the machine and can lead to loss of evidence.
D. Secure the area: While important, it does not address the need to preserve volatile memory.
EC-Council CISO Reference:
The first-responder guidelines stress the importance of preserving evidence integrity and avoiding actions that could destroy critical forensic data.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit