Question 2574 - CISA Certified Information Systems Auditor

During the collection of forensic evidence, which of the following actions would MOST likely result in the destruction or corruption of evidence on a compromised system?

A. Dumping the memory content to a file
B. Generating disk images of the compromised system
C. Rebooting the system
D. Removing the system from the network

Correct Answer: C

Explanation:

Explanation:
Rebooting the system may result in a change in the system state and the loss of files and important evidence stored in memory. The other choices are appropriate actions for preserving evidence.

CISA Certified Information Systems Auditor

Tag: Question 2574

CISA Certified Information Systems Auditor – Question2574