If the victim’s computer is internet-connected, what is the first step a responder must take?

When a victim's computer is internet-connected and a security incident is suspected, the first step a responder needs to take is to unplug the network cable. This step is critical because it effectively isolates the compromised system from the internet or any potentially hostile external networks, preventing further data exfiltration or the propagation of malware. Keeping the computer connected can allow attackers to continue their activities or make it easier for additional malware to download and execute.

Isolating the compromised machine helps preserve the integrity of the evidence and allows for a more controlled examination of the potential security breach without additional risk. It is about ensuring that no further harm can come from that system while also securing any pertinent data that might assist in the forensic investigation.

The other options would not be advisable as initial steps because they expose the system to further risks or compromise the integrity of the data and evidence necessary for an effective incident response. For instance, using the computer for evidence search or turning it on could alter valuable forensic data, while keeping devices connected could facilitate ongoing attacks or data tampering.