Certified Information Systems Auditor (CISA) — Question 994
Which of the following should be done FIRST to protect evidence on a computer suspected to be involved in online fraud?
Answer options
- A. Unplug the computer from its power source.
- B. Eject removable media.
- C. Use the computer to trace the source of the crime.
- D. Make a copy of the affected system.
Correct answer: D
Explanation
The correct answer is D because making a copy of the affected system preserves the evidence without altering the original data. Unplugging the computer (A) or ejecting removable media (B) could potentially alter the state of the evidence, and using the computer to trace the source of the crime (C) risks further tampering with the evidence.