nerdexam
Cisco

210-255 · Question #130

According to NIST 86, which action describes the volatile data collection?

The correct answer is A. Collect data before system reboot. Volatile data resides in active system memory and is permanently lost upon reboot or shutdown, so NIST SP 800-86 requires it to be collected before any restart occurs.

Host-Based Analysis

Question

According to NIST 86, which action describes the volatile data collection?

Options

  • ACollect data before system reboot
  • BCollect data while rebooting
  • CCollect data after rebooting
  • DCollect data that contains malware

How the community answered

(20 responses)
  • A
    90% (18)
  • C
    5% (1)
  • D
    5% (1)

Why each option

Volatile data resides in active system memory and is permanently lost upon reboot or shutdown, so NIST SP 800-86 requires it to be collected before any restart occurs.

ACollect data before system rebootCorrect

NIST SP 800-86 establishes the order of volatility, directing examiners to collect the most transient data first - including RAM contents, active network connections, and running processes - because this data is destroyed the moment the system is rebooted or powered off. Collecting before a reboot preserves evidence such as encryption keys, injected malware, and live session data that would otherwise be unrecoverable. This sequencing is a foundational requirement of volatile evidence collection.

BCollect data while rebooting

During a reboot the system is actively clearing volatile memory, making data collection impossible at that stage.

CCollect data after rebooting

After rebooting, all volatile memory contents have already been erased and cannot be recovered.

DCollect data that contains malware

Collecting data that contains malware describes a type or category of evidence, not the timing or method of volatile data collection.

Concept tested: Volatile data collection order of volatility NIST 800-86

Source: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-86.pdf

Topics

#volatile data#NIST SP 800-86#digital forensics#data collection

Community Discussion

No community discussion yet for this question.

Full 210-255 Practice