During a security event investigation, a junior analyst fails to create an image of a server’s hard drive before removing the drive and sending it to the forensics analyst. Later, the evidence from the analysis is not usable in the prosecution of the attackers due to the uncertainty of tampering. Which of the following should the junior analyst have followed?
A. Continuity of operations
B. Chain of custody
C. Order of volatility
D. Data recovery
Correct Answer: C
Explanation/Reference: https://www.computer-forensics-recruiter.com/order-of-volatility/