Which statement is not correct when dealing with a powered-on computer at a crime scene?

• A. If the computer is switched off, power on the computer to take a screenshot of the desktop
• B. If a computer is on and the monitor shows some picture or screen saver, move the mouse slowly without depressing any mouse button and take a photograph of the screen and record the information displayed
• C. If a monitor is powered on and the display is blank, move the mouse slowly without depressing any mouse button and take a photograph
• D. If a computer is switched on and the screen is viewable, record the programs running on screen and photograph the screen

Answer: (A)

When a computer is powered on at a crime scene, the priority is to preserve the current state without altering any evidence. The safe approach is to document what’s visible and capture it with non-invasive methods, avoiding actions that could change data or memory.

Powering on a machine that is switched off to take a screenshot is not correct because turning the device on can modify data, memory contents, file timestamps, and overall state. This change can contaminate evidence and undermine forensic integrity unless there is explicit authorization and a documented, approved procedure in place.

The other scenarios align with non-invasive documentation. If the monitor is showing something, waking the display by gently moving the mouse—without clicking—and photographing the screen records what is present without altering it. If the display is on but blank, waking it slightly and photographing still captures the visible context. If the screen is viewable, recording the programs running and photographing the display helps document the system’s state at that moment. In all cases, the goal is to capture evidence as it exists, with minimal interaction that could modify it.