During a forensic investigation of a compromised server, an analyst needs to collect volatile data. Which of the following represents the BEST order of volatility to follow when collecting evidence?
Offline backups, disk data, memory contents, running processes
Disk data, running processes, memory contents, offline backups
Memory contents, running processes, disk data, offline backups
Running processes, network connections, memory contents, disk data
The correct answer follows the standard order of volatility in digital forensics, which dictates that investigators should collect the most volatile data first to preserve evidence that would otherwise be lost. The proper order is: (1) contents of memory (RAM, cache) which is lost when power is removed, (2) running processes and network connections which change quickly but remain while the system is powered, (3) data on disk which is persistent but can be modified, and (4) offline backups which are the most stable form of evidence.
The other options present incorrect sequences. Option A incorrectly prioritizes disk data before memory. Option C incorrectly puts offline backups before volatile memory data. Option D incorrectly starts with running processes before capturing memory contents, which is a critical error since memory contains the most ephemeral data that should be captured first.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is volatile data in digital forensics?
Open an interactive chat with Bash
Why is the order of volatility important in evidence collection?
Open an interactive chat with Bash
What types of data are considered less volatile?
Open an interactive chat with Bash
ISC2 CISSP
Security Operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access