Certified Information Systems Auditor (CISA) — Question 818

Which of the following BEST protects evidence in a forensic investigation?

Answer options

• A. Protecting the hardware of the affected system
• B. Powering down the affected system
• C. Imaging the affected system
• D. Rebooting the affected system

Correct answer: C

Explanation

Creating an image of the affected system is the best way to preserve evidence, as it allows for a complete and exact copy of the data to be analyzed without altering the original information. Protecting hardware, powering down, or rebooting the system can result in data loss or corruption, making it harder to conduct a thorough investigation.