A security incident occurs that requires a systems administrator to take an image of a user-s workstation hard drive. Which of the following should be taken at t
he time the system image is generated and retained through the file of the investigation to assure files have not been modified since?
A. A checksum hash of the drive image or files
B. Copies of the system logs at specific intervals
C. A snapshot of the
file system
D. The user-s credentials and permissions