🛡️ Free practice test question from: Digital Forensics rules (Security+)

The first rule of digital forensics is C) Preserve the original evidence without modification. This is paramount. All subsequent steps and analyses are based on this principle. You must ensure that the original evidence remains unaltered so it can be admissible in court.

*****

A) Protect the device from external interference: This is crucial to prevent contamination or alteration of the evidence, but the preservation of the original evidence is the core first principle.

B) Document all actions taken during investigation: This is essential for maintaining a chain of custody and demonstrating the integrity of the investigation, but it comes after ensuring the preservation of the original evidence.

D) Create a forensic backup immediately: Creating a forensic copy is a vital step, but it's done to preserve the original evidence and work on a copy. The original evidence must be kept untouched.