PrepAway - Latest Free Exam Questions & Answers

which of the following should be captured based on memo…

When performing data acquisition on a workstation, which of the following should be captured based on memory volatility? (Select two.)

PrepAway - Latest Free Exam Questions & Answers

USB-attached hard disk


Mounted network storage



PrepAway - Latest Free Exam Questions & Answers

5 Comments on “which of the following should be captured based on memo…

  1. The correct answer is A and E.

    RAM System RAM is one of the most volatile locations of digital evidence you’ll
    encounter as a digital forensics investigator. Because the contents of RAM are subject
    to change constantly, and because it can be wiped out whenever the computer’s power
    is turned off, it is a high priority during evidence collection. You’ll have to worry about
    collecting the contents of RAM if the system is powered on and running. This type of
    collection is called a live response and requires special tools and techniques to collect the
    contents while disturbing the data in RAM as little as possible. Digital evidence located
    in RAM includes running processes, network connections, active applications, active
    user data, and so on. It’s also possible that encryption keys and passwords may exist in
    RAM in an unencrypted state, so they can be gathered as well during a live response.
    Several tools can dump the entire contents of RAM into a file, and other tools can
    be used to gather information selectively on running processes and connections as well.
    These tools may dump this information into a text file or other type of database for
    further analysis. Both techniques should be used to collect as much perishable data as

    Hard Drives Hard drives located within the machine are certainly the most valuable
    source of digital evidence, but they are lower down the list in order of volatility, since
    they do not lose their data when powered off or removed from the machine. A hard drive
    does not have to be examined using live response techniques; it should be removed from
    the computer after it has been powered down, and then analyzed later. We’ll discuss the
    techniques used to gather information from hard drives and ensure its integrity later in
    the module.

    Other Media and Sources of Digital Evidence Most other types of media that offer
    a more permanent type of storage than system RAM can be examined after the machine
    has been powered down, inventoried, and taken to a laboratory. These types of media are
    also usually removable, such as optical discs, SD cards, and USB devices. This typically
    makes them the least volatile data, but no less important in the process of collection and
    analysis. As mentioned, you should go ahead and inventory them and start a chain-ofcustody
    to protect their integrity.


  2. JayWalkerIT says:

    E, RAM, this should be obvious.

    For the second answer, I would think B or C.

    The case for swapfile is that it is changing at the moment – it is closest in volatility to RAM of all the choices.
    The case for Network Storage is that active network connections are also very volatile. You could argue that the data on the other end of that network connection could be lost at any moment in some circumstances. However, I don’t think that’s what the question is going for. I think they are assuming the normal case where someone has mapped a network path to their computer and the volatility is no greater than with any other storage device.

    I would answer B and E on a test and never really know if I got it right or not…


  3. meac says:

    I would go for B & E
    • A Hard Disk (USB attached or internal) is still a hard disk so it is not very high in the list of volatility
    • If I disconnect the USB Hard disk, the data shall still be there when I plug it back (unless I did not save it, that is)
    • Also, it assumes that a USB Hard disk is in fact connected in the first place
    B. Swap/pagefile and E. RAM are therefore the best answers as all Devices have them and are cleared once a desktop is shutdown



Leave a Reply