It is very important that evidence be handled properly and never modified physically or, more important, logically. The goal of this process is to be able to testify truthfully in court that the technical investigator did not modify the data in any way. If the investigator does not have sufficient manual or digital evidence, the defense will try to prevent the admission of evidence based on the fact that it was tampered with or modified. Note that legal requirements for digital evidence preservation could vary from country to country, so local laws should be taken into consideration. The owner of the system may be present at the time of evidence retrieval, but this is not absolutely necessary. In some cases, the owner could be the subject of the investigation. In most cases, it is required that the investigator power off the machine in order to create a forensic image of the hard drive, so this is not an issue. Prior to powering off the machine, the investigator would normally photograph what is on the screen of the computer and identify what documents are open and any other information that may be relevant. It is important that the investigator power off the machine rather than performing a shutdown procedure. Many operating systems perform a cleanup of temporary files during shutdown, which would potentially destroy valuable evidence. Typical forensic investigation techniques do not involve copying the system-state of desktop or laptop computers, so this is not the correct answer.