12B - Digital Forensics (Acquisition) Flashcards
What is the Order of Volatility?
The order in which volatile data should be recovered from various storage locations and devices after a security incident occurs.
What does the ISOC best practice guide to evidence collection and archiving outline?
The general order of volatility for recovering data after a security incident.
What is the first item in the general order of volatility?
CPU registers and cache memory (including cache on disk controllers, graphics cards, and so on).
What is included in nonpersistent system memory?
Contents of RAM, including routing table, ARP cache, process table, and kernel statistics.
What type of data is found on persistent mass storage devices?
Data on persistent mass storage devices (HDDs, SSDs, and flash memory devices):
- Partition and file system blocks, slack space, and free space.
- System memory caches, such as swap space/virtual memory and hibernation files.
- Temporary file caches, such as the browser cache.
- User, application, and OS files and directories.
What are system memory caches?
Caches such as swap space/virtual memory and hibernation files.
What type of data is stored in temporary file caches?
Data such as the browser cache.
What types of files and directories are included in user, application, and OS data?
User files, application files, and operating system files and directories.
What is included in remote logging and monitoring data?
Data collected from remote logging and monitoring systems.
What does the physical configuration and network topology refer to?
The arrangement and setup of physical devices and network structure.
What types of media are considered archival media?
Archival media and printed documents.