During an investigation, a computer is being seized. Which of the following is the FIRST step the analyst should take?
A. Power off the computer and remove it from the network.
B. Unplug the network cable and take screenshots of the desktop.
C. Perform a physical hard disk image.
D. Initiate chain-of-custody documentation.
CS0-002: CompTIA CySA+ ExamFULL Printable PDF and Software. VALID exam to help you PASS. |
The answer is A. The Analyst is not conducting investigation, thus he or she should unplug power and from the network and hand it over to forensics.
This has to be wrong. The proper step should be B.