CompTIA CySA+ (CS0-001) — Question 55

During an investigation, a computer is being seized. Which of the following is the FIRST step the analyst should take?

Answer options

• A. Power off the computer and remove it from the network.
• B. Unplug the network cable and take screenshots of the desktop.
• C. Perform a physical hard disk image.
• D. Initiate chain-of-custody documentation.

Correct answer: A

Explanation

The correct answer is A because powering off the computer and disconnecting it from the network prevents any potential tampering or data alteration. The other options, while important, should not be the first steps; taking screenshots or imaging the disk can wait until the computer is secured.