Certified Incident Handler (CIH) Practice Ecam

What is the first step to shutting down a Windows OS system after evidence collection?

• A. Click the Windows button
• B. Document any running programs
• C. Take a photograph of the screen
• D. Click the Power option from the menu

The correct answer is: Click the Power option from the menu

When shutting down a Windows OS system after evidence collection, the primary objective is to ensure that potential volatile data is preserved while preventing the alteration of any evidence. The best practice for accomplishing this is to utilize the built-in power options, which provide a systematic way to properly shut down the system without risking corruption of data or loss of volatile information. By accessing the Power option from the menu, you initiate a controlled shutdown that adheres to the operating system’s protocols for closing applications and processes safely. This process helps maintain the integrity of any stored evidence, as it allows Windows to finish writing any pending data to disk and closing applications orderly, which is crucial for the forensics involved. Other options, while potentially useful in specific scenarios, do not prioritize the methodology needed for a proper shutdown in the context of evidence integrity. For instance, documenting running programs and taking screenshots can be important steps in evidence collection, but they do not directly contribute to safely shutting down the system. Clicking the Windows button, although it might provide access to shutdown options, lacks the specificity and safety of selecting the Power option directly. This structured approach ensures the shutdown process is managed correctly while preserving the continuity and reliability of the evidence collected.