An incident responder successfully acquired application binaries off a mobile device for later forensic analysis.
Which of the following should the analyst do NEXT?
Click on the arrows to vote for the correct answer
A. B. C. D. E.D.
The next step for the incident responder after acquiring application binaries off a mobile device for later forensic analysis would be to compute SHA-256 hashes for each binary, which is option C.
Here's why:
A. Decompiling each binary to derive the source code is not a necessary step at this point, as the incident responder has already acquired the binaries themselves. Decompiling the binaries would be useful later in the analysis process, but it is not the next step.
B. Performing a factory reset on the affected mobile device is also not the next step, as doing so would destroy any evidence that may be needed for future analysis. The device should be properly secured and preserved for analysis.
C. Computing SHA-256 hashes for each binary is the next step because this helps to verify the integrity of the acquired data. By computing a hash, the incident responder can ensure that the binary has not been modified since it was acquired, which is important for maintaining the chain of custody and ensuring that any conclusions drawn from the analysis are accurate.
D. Encrypting the binaries using an authenticated AES-256 mode of operation is not the next step, as this would be premature at this point. The incident responder needs to first ensure the integrity of the binaries before moving on to protecting them.
E. Inspecting the permissions manifests within each application is also not the next step, as this would require further analysis and may not be necessary depending on the nature of the incident.
In summary, computing SHA-256 hashes for each binary is the next step for the incident responder after acquiring application binaries off a mobile device for later forensic analysis.