An incident response team member needs to perform a forensics examination but does not have the required
hardware. Which of the following will allow the team member to perform the examination with minimal impact to
the potential evidence?

A.
Using a software file recovery disc

B.
Mounting the drive in read-only mode

C.
Imaging based on order of volatility

D.
Hashing the image after capture

Explanation:
Mounting the drive in read-only mode will prevent any executable commands from being executed. This is turn
will have the least impact on potential evidence using the drive in question.