When collecting evidence from a running computer, what should be the first step?

The most appropriate first step when collecting evidence from a running computer is to leave the device running. This approach ensures that volatile information, such as open files, temporary system information, and network connections, remains intact for analysis. Turning off the computer or disconnecting it from power can result in the loss of crucial data that may be critical to an investigation.

By keeping the device running, investigators can conduct a live analysis, which may provide insights into ongoing processes and activities. This method allows for capturing real-time data and ensuring that any evidence that is transient or in a state of flux is preserved. Careful documentation and consideration of how to proceed next, such as cloning data or capturing RAM, can then follow.

In contrast, shutting down the system or pulling the plug can result in irreversible changes to data and loss of evidence, making it essential to prioritize leaving the device operational during the initial evidence collection phase. Taking just the hard drive without considering the running state of the system also overlooks the potential value of remaining volatile data.