To ensure proper evidence collection, which of the following steps should be performed FIRST?
Take hashes from the live system
Capture the system image
Copy all compromised files
Capturing an image of the operating system in its exploited state can be helpful in revisiting the issue after the
fact to learn more about it. This is essential since the collection of evidence process may result in some
mishandling and changing the exploited state.