312-49 Question #53: Real Exam Question with Answer & Explanation

The correct answer is A: True. This is a foundational principle in digital forensics defined by RFC 3227 (Guidelines for Evidence Collection and Archiving). Volatile data â€” such as CPU registers, RAM contents, running processes, and network connections â€” is lost the moment power is removed or the system st

Submitted by yaw92· Apr 18, 2026Computer Forensics Investigation Process

Question

When collecting electronic evidence at the crime scene, the collection should proceed from the most volatile to the least volatile

Options

ATrue
BFalse

Explanation

This is a foundational principle in digital forensics defined by RFC 3227 (Guidelines for Evidence Collection and Archiving). Volatile data â€” such as CPU registers, RAM contents, running processes, and network connections â€” is lost the moment power is removed or the system state changes. Therefore, investigators must capture the most volatile data first (e.g., RAM dumps, active connections) before moving to less volatile sources like swap/page files, then local disk, and finally archival or remote storage. Reversing this order risks losing critical evidence permanently.

Topics

#Evidence collection#Order of volatility#Digital forensics principles#Crime scene investigation

Community Discussion

No community discussion yet for this question.

Full 312-49 Practice Browse All 312-49 Questions