210-255 · Question #130
According to NIST 86, which action describes the volatile data collection?
The correct answer is A. Collect data before system reboot. Volatile data resides in active system memory and is permanently lost upon reboot or shutdown, so NIST SP 800-86 requires it to be collected before any restart occurs.
Question
According to NIST 86, which action describes the volatile data collection?
Options
- ACollect data before system reboot
- BCollect data while rebooting
- CCollect data after rebooting
- DCollect data that contains malware
How the community answered
(20 responses)- A90% (18)
- C5% (1)
- D5% (1)
Why each option
Volatile data resides in active system memory and is permanently lost upon reboot or shutdown, so NIST SP 800-86 requires it to be collected before any restart occurs.
NIST SP 800-86 establishes the order of volatility, directing examiners to collect the most transient data first - including RAM contents, active network connections, and running processes - because this data is destroyed the moment the system is rebooted or powered off. Collecting before a reboot preserves evidence such as encryption keys, injected malware, and live session data that would otherwise be unrecoverable. This sequencing is a foundational requirement of volatile evidence collection.
During a reboot the system is actively clearing volatile memory, making data collection impossible at that stage.
After rebooting, all volatile memory contents have already been erased and cannot be recovered.
Collecting data that contains malware describes a type or category of evidence, not the timing or method of volatile data collection.
Concept tested: Volatile data collection order of volatility NIST 800-86
Source: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-86.pdf
Topics
Community Discussion
No community discussion yet for this question.