Sec+ - Data volatility

Data volatility

This is a measure of how quickly data disappears from a system and is an essential part of assessing the likelihood of collecting the most valuable evidence.

CPU Registers and Cache

The volatility of data stored in these two places is extremely high; data can be lost within milliseconds.

High

The data held in the RAM, routing table, ARP cache, process table, and kernel statistics has __ volatility (very high, high, moderate, low, or very low)

Random Access Memory

What does RAM stand for?

RAM

This part of your computer is short-term memory where the data and instructions for currently running programs is held.

ARP cache

This cache keeps a list of each IP address and its matching MAC address.

Temporary File Systems

This type of data storage stores locations for temporary files used by the operating system and applications, like swap files

Disk and Storage

In this category, data remains until it is intentionally erased or overwritten. It includes hard drives, USB drives, and SSDs.

Moderate

Temporary File Systems have __ volatility (very high, high, moderate, low, or very low)

Remote Logging

The volatility of this data storage varies. This group logs and monitors data stored on remote servers.

Archival Media

This type of media has extremely low volatility. It includes tape backups and off-site drives.

Physical Configuration, Network Topology.

This is the hardware setup and network structure of a system. It has low volatility, but is not the lowest in the hierarchy.

Disk imaging

This process involves creating a bit-by-bit or logical copy of a storage device, preserving its entire content, including deleted files and unallocated space

Legal hold

This concept requires the implementation of preservation practices to protect systems and evidence. It ensures evidence is not tampered with, deleted, or lost in the case litigation is expected.