What is the first step required when preparing a computer for forensics investigation?

Preserving evidence in its original state is the priority. The moment you start interacting with the device—turning it on or off, running programs, or accessing data—you risk altering data, changing timestamps, overwriting memory, or otherwise contaminating the evidence. Keeping the computer untouched ensures the integrity of the data and supports a reliable chain of custody, making it possible to create an admissible forensic image later. After establishing this baseline, you would proceed with proper steps like securing the relevant media and documenting the scene, but those actions should follow the decision to avoid any modification of the system.