Before shutting down a system suspected of an attack, the investigator should do what?
A.
Remove and back up the hard drive
B.
Dump memory contents to disk
C.
Remove it from the network
D.
Save data in the spooler queue and temporary files
Explanation:
B: If the computer was actually attacked or involved in a computer crime, there is a good possibility that useful information could still reside in memory. Specific tools can be used to actually dump this information and save it for analysis before the power is removed.