nerdexam
Exams210-255Questions#130
Cisco

210-255 · Question #130

210-255 Question #130: Real Exam Question with Answer & Explanation

The correct answer is A: Collect data before system reboot. Volatile data resides in active system memory and is permanently lost upon reboot or shutdown, so NIST SP 800-86 requires it to be collected before any restart occurs.

Host-Based Analysis

Question

According to NIST 86, which action describes the volatile data collection?

Options

  • ACollect data before system reboot
  • BCollect data while rebooting
  • CCollect data after rebooting
  • DCollect data that contains malware

Explanation

Volatile data resides in active system memory and is permanently lost upon reboot or shutdown, so NIST SP 800-86 requires it to be collected before any restart occurs.

Common mistakes.

  • B. During a reboot the system is actively clearing volatile memory, making data collection impossible at that stage.
  • C. After rebooting, all volatile memory contents have already been erased and cannot be recovered.
  • D. Collecting data that contains malware describes a type or category of evidence, not the timing or method of volatile data collection.

Concept tested. Volatile data collection order of volatility NIST 800-86

Reference. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-86.pdf

Topics

#volatile data#NIST SP 800-86#digital forensics#data collection

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 210-255 Practice