A desktop computer that was involved in a computer security incident should be secured as evidence by:
A.
disconnecting the computer from all power sources.
B.
disabling all local user accounts except for one administrator.
C.
encrypting local files and uploading exact copies to a secure server.
D.
copying all files using the operating system (OS) to write-once media.
Explanation:
To preserve the integrity of the desktop computer as an item of evidence, it should be immediately disconnected from all sources of power. Any attempt to access the information on the computer by copying, uploading or accessing it remotely changes the operating system (OS) and temporary files on the computer and invalidates it as admissible evidence.
I choose A
0
0
The question is stating that “should be secured as evidence by”
Disconnecting the computer from all power sources may cause the lose of important information that exist in memory.
Disabling all accounts except admin has no sense as well as encrypting all files.
I believe that copying all files to write once media can preserve evidence for further investigation later as well as ensure no alteration. My only concern is that special tools for bit-to-bit copy should be used as well as memory dumps. But D seems to be the most appropriate to me.
So I will say D
2
0
you are correct A would do opposite of what required
0
0
A is the first thing to do.
0
0