CompTIA Security+ (SY0-501) — Question 440

Which of the following best describes the initial processing phase used in mobile device forensics?

Answer options

• A. The phone should be powered down and the battery removed to preserve the state of data on any internal or removable storage utilized by the mobile device
• B. The removable data storage cards should be processed first to prevent data alteration when examining the mobile device
• C. The mobile device should be examined first, then removable storage and lastly the phone without removable storage should be examined again
• D. The phone and storage cards should be examined as a complete unit after examining the removable storage cards separately.

Correct answer: D

Explanation

The correct answer, D, indicates that a comprehensive examination of the phone along with storage cards is crucial after initially inspecting removable storage. Option A is incorrect as it suggests turning off the device, which is not part of the initial processing phase. Option B wrongly prioritizes removable storage over the complete unit examination. Option C incorrectly implies examining the phone without removable storage last, which does not align with best practices in mobile forensics.