During an incident response, a security analyst needs to ensure that a copy of a potentially compromised server's hard drive is acquired for analysis. Which of the following is the BEST method to ensure that the evidence is admissible in court?
Creating a bit-for-bit image of the original drive using a write blocker
Implementing remote mirroring to another server and capturing the replication data
Copying files from the server to an external hard drive directly
Taking photographs of the server and its connections for documentation