4.5 Digital Forensics Flashcards
In what order should the digital evidence be collected based on the order of volatility?
From most volatile to least:
- Processor Cache
- Random Access Memory
- Swap File
- Hard Drive or USB Drive
Since the Processor Cache is the most volatile and changes the most frequently, it should be captured first. Random Access Memory (RAM) is temporary storage on a computer. It can quickly change or be overwritten, and the information stored in RAM is lost when power is removed from the computer, so it should be collected second. Swap files are temporary files on a hard disk used as virtual memory, and therefore, they should be collected third. The files on a hard disk or USB drive are the least volatile of the four options presented since they are used for long-term storage of data and are not lost when the computer loses power
