Section 31: Digital Forensics Flashcards
Order of Volatility
● Registers and cache
o This type of data can also only be collected when the computer is powered on
● Routing tables, ARP Caches, Process Tables, and Kernel Statistics,
and memory
o These can all be altered by the system when it is in operation. Additionally, if you remove power to the system, all of this data will also be lost
● Temporary file systems
o Often overwritten during system operation, and some are
deleted when the system is shutdown or rebooted
● Disks
o These types of devices do allow for frequently updates and
changes to their contents, but not nearly as rapidly as
processor registers and cache, RAM, and temporary file
systems
● Remote logging and monitoring data
o This data is less likely to change as quickly as the other
evidence collected so far, since it is not on the same
system that is the subject of our investigation, making it a
lower collection priority
● Physical configurations and network topologies
o This data also doesn’t change frequently, but it is good to
collect to gather the details of the network at the time
evidence collection
● Archival media
o Most of this data is offline and not likely to change quickly,
such as backup tapes, CDs, DVDs, and external hard drives
o When you are dealing with the Windows registry,
remember that some of its contents are actually in RAM
Disk Imaging
▪ A technique that creates a bit-by-bit copy of a hard disk or USB drive, including the slack space and the unallocated space on the drive
Forensic Image
o Forensic Image
▪ Used for analysis purposes and is created from the original evidence
o Forensic Clone
▪ A copy of that forensic image and is used as a working copy during
analysis that could modify or change the data in the working copy
Memory Snapshot or Memory Dump
The process of conducting memory capture and forensics is very similar to the processes used in disk imaging