A production server has been compromised. Which of the following is the BEST way to preserve
the non-volatile evidence?
A.
Shut the server down and image the hard drive.
B.
Remove all power sources from the server.
C.
Install remote backup software and copy data to write-once media.
D.
Login remotely and perform a full backup of the server.