A member of a digital forensics team, Joe arrives at a crime scene and is preparing to collect system data.
Before powering the system off, Joe knows that he must collect the most volatile date first. Which of the
following is the correct order in which Joe should collect the data?
A.
CPU cache, paging/swap files, RAM, remote logging data
B.
RAM, CPU cache. Remote logging data, paging/swap files
C.
Paging/swap files, CPU cache, RAM, remote logging data
D.
CPU cache, RAM, paging/swap files, remote logging data
wrong its D
0
0
Answer should be D. (Gibson p. 449.)
0
0
“D”
0
0
OOV: order of volatility
1
0
Explanation
Cache – Cache memory is more temporary than regular RAM. This includes central processor (CPU) cache or any other type of cache used in the system. It typically includes recently used data and information used by applications. It is more volatile than regular RAM because a system has significantly less cache memory than regular RAM so it will likely be overwritten quicker than regular RAM.
RAM – RAM is slightly less volatile than cache memory. It can include information used by the system and network processes. It will be lost if the system is powered down (as will the cache memory).
Paging file – This is also known as the swap file. It is an extension of RAM but it is stored on the hard drive. The paging file is rebuilt each time the system is rebooted so it is more volatile than regular data stored on a hard drive.
HDD – Data stored on a hard disk drive (HDD) is semi-permanent. It remains on the hard drive even after the system is powered down and rebooted.
Logs stored on remote systems – Any data stored on a remote system is less volatile than data stored on the target system. For this reason, many servers send log data to a remote system for centralized collection. Even if the server is completely destroyed, the centralized logs still have key data.
Archive media – This includes any types of backups or copies of data captured for either recovery or archive purposes. They are generally offline and less likely to be destroyed or corrupted. For example, backup tapes and DVDs can be used as archive media.
http://blogs.getcertifiedgetahead.com/security-forensic-performance-based-question/
Answer is D
0
0