Computer Hacking Forensic Investigator (CHFI) Practice Exam

The focus of the correct answer lies in the context of IT security practices, particularly when handling the physical components of a computer system. Removing the power cable based on the computer's state is a critical action in forensic investigations as it can be necessary to prevent data corruption or tampering during an investigation. This action is often taken in situations where investigators need to secure evidence, ensuring that sensitive data is not altered or destroyed by external factors, such as remote access or automated tasks that the operating system may trigger when powered on.

In contrast, documenting actions observed in peripherals, verifying the monitor's power state, and turning on the computer for log extraction do not specifically address securing the IT environment or protecting the integrity of the data within that environment. These actions are more about observation or preparation rather than actively protecting the system from potential threats or loss of evidence.

Understanding the importance of evidence preservation in digital forensics is crucial, and removing the power cable methodically reflects a proactive approach to safeguarding IT security within organizational protocols.