Which of the following best describes the initial processing phase used in mobile device forensics?
A.
The phone should be powered down and the battery removed to preserve the state of data on any internal or removable storage utilized by the mobile device
B.
The removable data storage cards should be processed first to prevent data alteration when examining the mobile device
C.
The mobile device should be examined first, then removable storage and lastly the phone without removable storage should be examined again
D.
The phone and storage cards should be examined as a complete unit after examining the removable storage cards separately.
SANS indicates that "Removable data storage cards should be processed separately from the phone when possible, as accessing data stored on these cards during the process of examining the cellular phone may alter data on the data storage card. Any installed data storage/memory cards should be removed from the cellular phone prior to examination of the phone, and processed separately using traditional computer forensics methods to ensure that date and time information for files stored on the data storage/memory card are not altered during the examination. "
I put B. I personally dont think it is A because im pretty sure due to volatility. You should never power off any device immediately when performing forensics. I am not sure why it is D though.
Guys read https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-101r1.pdf
It does not provide 100% answer, but provides explanation why A is not correct. I was fooled to think it is too before reading this.
My vote for answer A. Example: "ACPO guidelines for mobile evidence" states "....1. Secure and take control of the area containing the equipment. Do not allow others to interact with the equipment;
2. Photograph the device in situ, or note where it was found, and record the status of the device and any on-screen information;
3. If the device is switched on, power it off. It is important to isolate the device from receiving signals from a network to avoid changes being made to the data it contains. For example, it is possible to wipe certain devices remotely and powering the device off will prevent this.
4. Seize cables, chargers, packaging, manuals, phone bills etc. as these may assist the enquiry and minimise the delays in any examination;
5. Packaging materials and associated paperwork may be a good source of PIN/PUK details;..."
Note "power it off". Of the answers presented A seems most appropriate.
Also powering off a device could trigger authorization codes etc. Checking NIST guidelines they highlight 3 methods - airplane mode, off network and power off. All 3 have some pros and cons and need to be implemented on a per use case
upvoted 1 times
...
...
...
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
CoRell
Highly Voted 4 years, 1 month agoMcvegh
3 years, 4 months agolegendman123
Most Recent 3 years, 2 months agomcNik
3 years, 8 months agoSelzar
3 years, 9 months agomodoc168
3 years, 11 months agosilentnotifications
3 years, 12 months agoPeteL
4 years, 4 months agoEPSBAL
4 years, 4 months agoMagicianRecon
4 years, 3 months agoMagicianRecon
4 years, 3 months ago