RAM System RAM is one of the most volatile locations of digital evidence you’ll
encounter as a digital forensics investigator. Because the contents of RAM are subject
to change constantly, and because it can be wiped out whenever the computer’s power
is turned off, it is a high priority during evidence collection. You’ll have to worry about
collecting the contents of RAM if the system is powered on and running. This type of
collection is called a live response and requires special tools and techniques to collect the
contents while disturbing the data in RAM as little as possible. Digital evidence located
in RAM includes running processes, network connections, active applications, active
user data, and so on. It’s also possible that encryption keys and passwords may exist in
RAM in an unencrypted state, so they can be gathered as well during a live response.
Several tools can dump the entire contents of RAM into a file, and other tools can
be used to gather information selectively on running processes and connections as well.
These tools may dump this information into a text file or other type of database for
further analysis. Both techniques should be used to collect as much perishable data as
possible
Hard Drives Hard drives located within the machine are certainly the most valuable
source of digital evidence, but they are lower down the list in order of volatility, since
they do not lose their data when powered off or removed from the machine. A hard drive
does not have to be examined using live response techniques; it should be removed from
the computer after it has been powered down, and then analyzed later. We’ll discuss the
techniques used to gather information from hard drives and ensure its integrity later in
the module.
Other Media and Sources of Digital Evidence Most other types of media that offer
a more permanent type of storage than system RAM can be examined after the machine
has been powered down, inventoried, and taken to a laboratory. These types of media are
also usually removable, such as optical discs, SD cards, and USB devices. This typically
makes them the least volatile data, but no less important in the process of collection and
analysis. As mentioned, you should go ahead and inventory them and start a chain-ofcustody
to protect their integrity.
2
9
JohnnyMacsays:
A is not correct? Your example proves that wrong ” These types of media are also usually removable, such as optical discs, SD cards, and USB devices. This typically makes them the least volatile data”
The case for swapfile is that it is changing at the moment – it is closest in volatility to RAM of all the choices.
The case for Network Storage is that active network connections are also very volatile. You could argue that the data on the other end of that network connection could be lost at any moment in some circumstances. However, I don’t think that’s what the question is going for. I think they are assuming the normal case where someone has mapped a network path to their computer and the volatility is no greater than with any other storage device.
I would answer B and E on a test and never really know if I got it right or not…
4
0
meacsays:
I would go for B & E
• A Hard Disk (USB attached or internal) is still a hard disk so it is not very high in the list of volatility
• If I disconnect the USB Hard disk, the data shall still be there when I plug it back (unless I did not save it, that is)
• Also, it assumes that a USB Hard disk is in fact connected in the first place
B. Swap/pagefile and E. RAM are therefore the best answers as all Devices have them and are cleared once a desktop is shutdown
6
0
certifistsays:
swap/ram because swap is an “extension” on disk of the ram.
The correct answer is A and E.
RAM System RAM is one of the most volatile locations of digital evidence you’ll
encounter as a digital forensics investigator. Because the contents of RAM are subject
to change constantly, and because it can be wiped out whenever the computer’s power
is turned off, it is a high priority during evidence collection. You’ll have to worry about
collecting the contents of RAM if the system is powered on and running. This type of
collection is called a live response and requires special tools and techniques to collect the
contents while disturbing the data in RAM as little as possible. Digital evidence located
in RAM includes running processes, network connections, active applications, active
user data, and so on. It’s also possible that encryption keys and passwords may exist in
RAM in an unencrypted state, so they can be gathered as well during a live response.
Several tools can dump the entire contents of RAM into a file, and other tools can
be used to gather information selectively on running processes and connections as well.
These tools may dump this information into a text file or other type of database for
further analysis. Both techniques should be used to collect as much perishable data as
possible
Hard Drives Hard drives located within the machine are certainly the most valuable
source of digital evidence, but they are lower down the list in order of volatility, since
they do not lose their data when powered off or removed from the machine. A hard drive
does not have to be examined using live response techniques; it should be removed from
the computer after it has been powered down, and then analyzed later. We’ll discuss the
techniques used to gather information from hard drives and ensure its integrity later in
the module.
Other Media and Sources of Digital Evidence Most other types of media that offer
a more permanent type of storage than system RAM can be examined after the machine
has been powered down, inventoried, and taken to a laboratory. These types of media are
also usually removable, such as optical discs, SD cards, and USB devices. This typically
makes them the least volatile data, but no less important in the process of collection and
analysis. As mentioned, you should go ahead and inventory them and start a chain-ofcustody
to protect their integrity.
2
9
A is not correct? Your example proves that wrong ” These types of media are also usually removable, such as optical discs, SD cards, and USB devices. This typically makes them the least volatile data”
The correct answers are B & E
http://blogs.getcertifiedgetahead.com/cfr-and-order-of-volatility/
20
0
E, RAM, this should be obvious.
For the second answer, I would think B or C.
The case for swapfile is that it is changing at the moment – it is closest in volatility to RAM of all the choices.
The case for Network Storage is that active network connections are also very volatile. You could argue that the data on the other end of that network connection could be lost at any moment in some circumstances. However, I don’t think that’s what the question is going for. I think they are assuming the normal case where someone has mapped a network path to their computer and the volatility is no greater than with any other storage device.
I would answer B and E on a test and never really know if I got it right or not…
4
0
I would go for B & E
• A Hard Disk (USB attached or internal) is still a hard disk so it is not very high in the list of volatility
• If I disconnect the USB Hard disk, the data shall still be there when I plug it back (unless I did not save it, that is)
• Also, it assumes that a USB Hard disk is in fact connected in the first place
B. Swap/pagefile and E. RAM are therefore the best answers as all Devices have them and are cleared once a desktop is shutdown
6
0
swap/ram because swap is an “extension” on disk of the ram.
0
0