Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.

Exam SY0-501 topic 1 question 259 discussion

Actual exam question from CompTIA's SY0-501
Question #: 259
Topic #: 1
[All SY0-501 Questions]

Which of the following best describes the initial processing phase used in mobile device forensics?

  • A. The phone should be powered down and the battery removed to preserve the state of data on any internal or removable storage utilized by the mobile device
  • B. The removable data storage cards should be processed first to prevent data alteration when examining the mobile device
  • C. The mobile device should be examined first, then removable storage and lastly the phone without removable storage should be examined again
  • D. The phone and storage cards should be examined as a complete unit after examining the removable storage cards separately.
Show Suggested Answer Hide Answer
Suggested Answer: D ūüó≥ÔłŹ

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
CoRell
Highly Voted 3 years, 9 months ago
SANS indicates that "Removable data storage cards should be processed separately from the phone when possible, as accessing data stored on these cards during the process of examining the cellular phone may alter data on the data storage card. Any installed data storage/memory cards should be removed from the cellular phone prior to examination of the phone, and processed separately using traditional computer forensics methods to ensure that date and time information for files stored on the data storage/memory card are not altered during the examination. "
upvoted 6 times
Mcvegh
3 years, 1 month ago
Here: https://digital-forensics.sans.org/media/mobile-device-forensic-process-v3.pdf
upvoted 2 times
...
...
legendman123
Most Recent 2 years, 11 months ago
I put B. I personally dont think it is A because im pretty sure due to volatility. You should never power off any device immediately when performing forensics. I am not sure why it is D though.
upvoted 1 times
...
mcNik
3 years, 5 months ago
Guys read https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-101r1.pdf It does not provide 100% answer, but provides explanation why A is not correct. I was fooled to think it is too before reading this.
upvoted 1 times
...
Selzar
3 years, 6 months ago
I think the initial process for mobile forensic is to examine volatile data. And that data will have references to both removable and onboard storage.
upvoted 1 times
...
modoc168
3 years, 7 months ago
What is the difference between B and D?
upvoted 1 times
...
silentnotifications
3 years, 8 months ago
To me, Answer D. makes the most sense because it allows for the least amount of changes made to the device before forensics starts.
upvoted 2 times
...
PeteL
4 years ago
I've seen this exact question and answer set on another practice exam with a different answer. I think it's a throwaway question.
upvoted 1 times
EPSBAL
4 years ago
My vote for answer A. Example: "ACPO guidelines for mobile evidence" states "....1. Secure and take control of the area containing the equipment. Do not allow others to interact with the equipment; 2. Photograph the device in situ, or note where it was found, and record the status of the device and any on-screen information; 3. If the device is switched on, power it off. It is important to isolate the device from receiving signals from a network to avoid changes being made to the data it contains. For example, it is possible to wipe certain devices remotely and powering the device off will prevent this. 4. Seize cables, chargers, packaging, manuals, phone bills etc. as these may assist the enquiry and minimise the delays in any examination; 5. Packaging materials and associated paperwork may be a good source of PIN/PUK details;..." Note "power it off". Of the answers presented A seems most appropriate.
upvoted 1 times
MagicianRecon
3 years, 12 months ago
I could just remove it from the network. No wifi or 3G/4G. Powering it down will lead to loss of volatile memory data
upvoted 2 times
MagicianRecon
3 years, 12 months ago
Also powering off a device could trigger authorization codes etc. Checking NIST guidelines they highlight 3 methods - airplane mode, off network and power off. All 3 have some pros and cons and need to be implemented on a per use case
upvoted 1 times
...
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...