During the seizure process, which practice is incorrect?

• A. Failing to preserve the current activity banners
• B. Seizing only equipment connected to the case
• C. Identifying the device roles
• D. Shutting down the computer immediately

Answer: (D)

Preserving volatile data and the live system state during seizure is crucial. Shutting the computer down immediately is incorrect because it wipes the contents of RAM, stops running processes, closes network connections, and can alter timestamps and logs. These volatile artifacts often hold key evidence about what happened and when it happened, and shutting down can erase or corrupt them, complicating or preventing a accurate reconstruction. The proper approach is to preserve the current state, capture memory when possible, isolate the system to prevent tampering, and create a verified image of the storage media. Identifying device roles and capturing all connected equipment are part of careful seizure planning to ensure a complete evidentiary record.