The correct answer is A.
OBJ-4.4: The best option is to suspend the machine and copy the directory contents as long as you ensure you protect the integrity of the files by conducting a hash on them before and after copying the files. This procedure will store the virtual machine’s RAM and disk contents. Since a virtual machine stores all of its data in a single file/folder on a host’s hard drive, you can copy the entire Copying the folder will give all the information needed. Still, the virtual machine should not be powered off because creating a copy of the drive is unnecessary because the files would still have to be validated. Live acquisition relies on a specialist hardware or software tool that can capture memory contents while the computer is running. This is unnecessary for a virtual machine since suspending a virtual machine writes the entire memory contents to a file on the hard disk. Shutting down the machine is a bad idea since this runs the risk that the malware will detect the shutdown process and perform anti-forensics to remove traces of itself. While you could image the entire drive the virtual machine resides on, it is unnecessary, will take much longer, and requires you to shut down the host machine to conduct the bit-by-bit copy.