Which of the following statements is incorrect when preserving digital evidence?

• A. Document the actions and changes that you observe in the monitor, computer, printer, or in other peripherals
• B. Verify whether the monitor is on, off, or in sleep mode
• C. Remove the power cable depending on the power state of the computer i.e., in on, off, or in sleep mode
• D. Turn on the computer and extract Windows event viewer log files

Answer: (D)

Preserving digital evidence requires keeping the system in its current state and collecting data in a forensically sound way, so you don’t alter what you’re trying to prove. Turning on the computer to extract Windows event viewer log files would change the system’s state and potentially modify or overwrite data, which compromises the integrity of the evidence. Booting a machine solely to pull logs introduces new activity, alters timestamps, and can affect volatile data and the very logs you’re trying to rely on. The proper approach is to preserve the device as-is, document its current condition, and obtain evidence through non-intrusive means—such as creating a disk image and then extracting logs from the image or performing a live acquisition only if necessary and under validated procedures. The other steps—documenting observed actions and peripheral states, and dealing with power state in a controlled, evidence-preserving way—align with sound preservation practices.