During an investigation following a security breach, an analyst is tasked with identifying the source of the intrusion. Which of the following is the BEST method for the analyst to maintain the integrity of the evidence?
Taking images of the system to be reviewed by the security team.
Generating a timestamp for each file on the system immediately upon acquisition.
Creating a cryptographic hash of the storage media before analysis.
Making several copies of the system's database for cross-reference.