The correct answer is B. In forensic analysis, the analyst wants to preserve volatile evidence and prevent the user from changing system state. If the computer is powered off, data in memory, running processes, active network connections, and other volatile artifacts may be lost. If the user continues interacting with the computer, they may unintentionally overwrite or alter evidence.
Exact supporting extract: the Sybex CySA+ Study Guide states that forensic evidence acquisition may require “making live memory images to ensure that information is not lost when a system is powered off.” It also explains that order of volatility measures how easy data is to lose and that data in memory or caches is highly volatile.
The Secbay CySA+ guide also states that allowing a computer to enter hibernation or sleep mode can change memory properties and result in loss of forensic evidence. It further explains that failing to follow order of volatility will likely result in evidence being lost.
Why the other options are incorrect:
A is incorrect because the main reason is evidence preservation, not preventing misuse.
C is incorrect because the analyst is not validating tool installation or patch status.
D is incorrect because legal hold is a legal preservation process, not the immediate reason to keep a live system powered on.
