To ensure proper evidence collection, which of the following steps should be performed FIRST?

A.
Take hashes from the live system

B.
Review logs

C.
Capture the system image

D.
Copy all compromised files

Explanation:
Capturing an image of the operating system in its exploited state can be helpful in revisiting the
issue after the fact to learn more about it. This is essential since the collection of evidence process
may result in some mishandling and changing the exploited state.