An incident response team member needs to perform a forensics examination but does not have
the required hardware. Which of the following will allow the team member to perform the
examination with minimal impact to the potential evidence?

A.
Using a software file recovery disc

B.
Mounting the drive in read-only mode

C.
Imaging based on order of volatility

D.
Hashing the image after capture

Explanation:
Mounting the drive in read-only mode will prevent any executable commands from being executed.
This is turn will have the least impact on potential evidence using the drive in question.