Which of the following should NOT be done when gathering digital evidence?

Rebooting the victim system offline is not advisable when gathering digital evidence because it can alter the state of the evidence. When a system is rebooted, there is a risk of changes occurring, such as file updates, loss of volatile data (like RAM contents), or modifications to timestamps and logs. These alterations may compromise the integrity of the evidence collected, making it less reliable in an investigation or legal context.

In contrast, documenting the chain of evidence is crucial for maintaining the integrity and authenticity of the collected data. This documentation helps establish who collected the evidence, how it was collected, and how it has been preserved.

Performing a bit-level backup is a best practice for preserving the exact state of a system's storage devices, ensuring that all data, including unallocated space, is captured without changes.

Shutting down a compromised system can sometimes be necessary to prevent further damage or data loss. However, it should be done cautiously and typically after careful consideration of how to preserve volatile data as much as possible. Hence, rebooting is the action that should be avoided to protect the integrity of the digital evidence.