What is an incorrect technique when preserving digital evidence?

Turning on the computer to extract log files is an incorrect technique when preserving digital evidence because it risks altering the state of the evidence. When a device is powered on, it can modify the data stored on it, including log files, timestamps, and volatile memory contents. This alteration can compromise the integrity of the evidence and may render it inadmissible in a legal context.

In contrast, disconnecting the device from the network helps to prevent remote access and further alterations, thus preserving the current state of the device. Documenting the state of the device is crucial for maintaining a record of its condition at the time of preservation, which aids in the chain of custody. Creating a bit-for-bit image of the hard drive is a standard forensic practice used to replicate the data without altering the original evidence, ensuring that the forensic analysis can be conducted on a copy rather than the original device.