During the collection of forensic evidence, which of the following actions would MOST likely result in
the destruction or corruption of evidence on a compromised system?

A.
Dumping the memory content to a file

B.
Generating disk images of the compromised system

C.
Rebooting the system

D.
Removing the system from the network

Explanation:
Rebooting the system may result in a change in the system state and the loss of files and important
evidence stored in memory. The other choices are appropriate actions for preserving evidence.