Which statement is incorrect related to acquiring electronic evidence at a crime scene?

• A. Sample banners are used to record system activities when used by unauthorized user
• B. Warning banners clearly notify intruders that monitoring is in effect
• C. Equipment connected to the case is seized with knowledge of the computer’s role
• D. At the time of seizing, you need to shut down the computer immediately

Answer: (D)

Preserving volatile data is essential when acquiring electronic evidence. RAM contains running processes, open network connections, encryption keys, and other data that vanish when power is removed, making it impossible to reconstruct activity or recover important evidence later. That’s why shutting the computer down immediately at the time of seizure is not the right move; it can destroy critical information. The right approach is to first document the scene, isolate the machine to prevent tampering, and securely image the storage while also attempting to capture memory if feasible, so volatile data is preserved. You should understand the computer’s role in the case to guide what to preserve and how to handle the devices, and warnings banners help indicate monitoring is in place for admissibility. Seizing equipment with knowledge of its role ensures you collect the relevant devices and data sources. Immediate power-down contradicts these practices, which is why that statement is incorrect.