Problem
1) You must contain a host that is suspected of effecting a violation of security policy. No methods of live evidence acquisition are available. What is your best course of action to preserve the integrity of evidence?
2) A hard disk has been removed from a computer so that it can be subjected to forensic evidence collection. What steps should you take to complete this process?
3) What two types of space on a disk are analyzed by file-carving tools?