Why should you never power on a computer that you need to acquire digital evidence from?

• A. Powering on has no effect on evidence.
• B. When the computer boots up, the system cache is cleared which could destroy evidence.
• C. When the computer boots up, data in memory buffers is cleared which could destroy evidence.
• D. When the computer boots up, files are written to the disk, potentially corrupting evidence.

Answer: (D)

When a computer starts up, the operating system and its services begin running and will write data to the storage device. This includes creating and updating temporary files, logs, swap/page files, and various metadata. These writes can alter the exact data you’re aiming to preserve or modify timestamps that help establish the original state, effectively contaminating the evidence. While memory contents and caches are volatile, the real risk to the evidentiary disk is the disk writes that occur during boot. That’s why, in forensics, you avoid powering on the machine and instead preserve it as found and acquire data using a write-blocked method or by imaging the drive without allowing the system to boot.