Answer :
Final answer:
The correct course of action according to the SANS DFIR Forensics methodology for an on and unlocked mobile device is B. to disconnect it from the network to preserve potential evidence.
Explanation:
According to the SANS DFIR Forensics methodology for mobile devices that are on and unlocked, the appropriate course of action would be b) Disconnect it from the network.
This is to prevent any potential remote access, data alteration, or wiping which could compromise the integrity of the investigation. Wiping the device (a) would destroy potential evidence, and while creating a backup of the data (option c) and installing antivirus software (option d) may be beneficial at other stages of the forensic process, they are not the initial steps to take when dealing with an on and unlocked device.
Learn more about SANS DFIR Forensics here:
https://brainly.com/question/14403044
#SPJ11
Final answer:
In the context of digital forensics, if a mobile device is on and unlocked, it should be disconnected from the network to prevent remote alterations to the data. Creating a backup and installing antivirus software are not immediate priorities.
Explanation:
According to SANS DFIR Forensics, if a mobile device is on and unlocked, the best course of action is to disconnect it from the network. This is to prevent any remote actions, such as wiping or altering the data stored on the device.It is also crucial to ensure that the evidence/data on the device remains in its original state. In the field of digital forensics, it's important to maintain the integrity of the data for further investigation. While creating a backup could be beneficial in some cases, this step isn't immediately necessary. Installing antivirus software is not typically one of the first steps conducted in a digital forensic investigation.
Learn more about Digital Forensics here:
https://brainly.com/question/29349145
#SPJ2