Certified Incident Handler (CIH) Practice Ecam

What practice helps first responders protect evidence regarding a victim's computer with an Internet connection?

• A. Leave the network cable connected
• B. Unplug the network cable from the router and modem
• C. Shutdown the device immediately
• D. Document the current Internet activity

The correct answer is: Unplug the network cable from the router and modem

Unplugging the network cable from the router and modem is a critical practice for protecting evidence on a victim's computer that is connected to the Internet. This action helps to preserve the state of the device by preventing any further data transmission or potential tampering. When a computer is actively connected to the Internet, it could be vulnerable to remote access by malicious actors who may attempt to alter or delete evidence. In scenarios where real-time data is being transmitted, such as with live connections to cloud services or other online platforms, disconnecting the network cable ensures that any ongoing activities are frozen. This effectively secures the current data on the computer and prevents any alterations that could compromise the integrity of the evidence for investigations. Documentation of the current Internet activity, while important, does not actively protect the evidence like disconnecting the device does. Keeping the network cable connected could lead to unwanted changes or the loss of crucial data, and shutting down the device may also result in the loss of volatile data that is necessary for a complete forensic analysis. Thus, the approach of unplugging the network cable is vital in the context of evidence preservation and forensic best practices.