What is the MOST important step during forensic analysis when trying to learn the purpose of an unknown application?
A. Disable all unnecessary services
B. Ensure chain of custody
C. Prepare another backup of the system
D. Isolate the system from the network
agree w d
D is the correct answer. The question is about forensic analysis of an application, not the entire system. If it was a system, you would make bit for bit clones of the original hard drive before conducting any tests. But since it’s an application, you’d want to test it in a sandbox environment, which is usually a system isolated from the production network.
would say “C”, because when analyzing digital evidence, it’s best to work with a copy of the
actual evidence whenever possible.