A member of a digital forensics team, Joe arrives at a crime scene and is preparing to collect system data. Before powering the system off, Joe knows that he must collect
the most volatile date first.
Which of the following is the correct order in which Joe should collect the data?
A. CPU cache, paging/swap files, RAM, remote logging data
B. RAM, CPU cache. Remote logging data, paging/swap files
C. Paging/swap files, CPU
cache, RAM, remote logging data
D. CPU cache, RAM, paging/swap files, remote logging data
The order of volatility from most volatile to least volatile is:
• Data in cache memory, including the processor cache and hard drivecache
• Data in RAM, including system and network processes
• A paging file (sometimes called a swap file) on the system disk drive
• Data stored on local disk drives
• Logs stored on remote systems
• Archive media
3
1