Investigation Scenario 🔎

An employee's Android phone recently made multiple connections to an IP address associated with prior malicious activity.

The /data/system/packages.xml file shows a recently installed APK named com[.]secure.update, signed with an unknown cert.

What do you look for to investigate whether an incident occurred and assess its impact?

Bonus Points: Mention which evidence sources you'd leverage to answer your questions

#InvestigationPath #DFIR #SOC