Why is it important to interact with the suspect system as little as possible?

• A. To prevent altering evidence and preserve integrity by using a copy for analysis
• B. To speed up the investigation by making changes directly
• C. There is no real risk to the integrity of evidence when interacting with the system
• D. To impress witnesses with technical procedures

Answer: (A)

Minimizing interaction with the suspect system tests the need to preserve evidence integrity by analyzing a copy rather than the original. Any action on the live system can modify data, change timestamps, or erase traces, which can undermine credibility and the ability to accurately reconstruct events. Using a forensic image and tools like write blockers keeps the original state intact, allows hash verification, and maintains the chain of custody, all of which are crucial for admissibility in court. The other ideas miss this core goal: changing data directly introduces contamination, claiming there’s no risk ignores fundamental risks to integrity, and aiming to impress witnesses is irrelevant and unethical.