Which of the following should Jane, a security administrator, perform before a hard drive is analyzed with forensics tools?

A.
Identify user habits

B.
Disconnect system from network

C.
Capture system image

D.
Interview witnesses

Explanation:
Capturing an image of the operating system in its exploited state can be helpful in revisiting the issue after the fact to learn more about it. Very much as helpful in
same way that a virus sample is kept in laboratories to study later after a breakout. Also you should act in the order of volatility which states that the system image
capture is first on the list of a forensic analysis.
Incorrect Answers:
A: User habits involves password behavior, data handling, clean desk issues, tail gating and personally owned devices that they bring to the workplace. Not useful
to analyze a hard drive with forensic tools.
B: Disconnecting the system from the network will change the state that the hard drive is in at present and as such disconnecting will defeat the purpose of the
analysis with forensic tools.
D: Interviewing witnesses would be the users and not the hard drive which is to be forensically analyzed. Though important, it just refers to the fact that the sooner
you learn about what happened from witnesses the better since over time, details and reflections can change and you would want to collect their thoughts before
such changes occur.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 453-454