You are the first person to respond to the scene of an incident involving a computer being hacked. After determining the scope of the crime scene and securing it, you attempt to preserve evidence at the scene. Which of the following tasks will you perform to preserve evidence? (Choose all that apply)
A.
Photograph any information displayed on the monitors of computers involved in the incident.
B.
Document any observation or messages displayed by the computer.
C.
Shut down the computer to prevent further attacks that may modify data.
D.
Gather up manuals, nonfunctioning devices, and other materials and equipment in the area so they are ready for transport.
Explanation:
Preservation of evidence requires limited access. Answer A and B are the best choice. Answer C is wrong, because many incidents that occur in a computer system, especially Internet attacks, will only show up in system RAM while the system is running. Answer D is wrong, because you should not touch anything until the
authorities arrive.
Reference: Security + (SYBEX) page 456-458