CompTIA
CAS-002 · Question #874
CAS-002 Question #874: Real Exam Question with Answer & Explanation
The correct answer is C: Snapshots of data on the monitor. Digital forensics follows the order of volatility, requiring investigators to capture the most transient data first before it is permanently lost.
Question
In a situation where data is to be recovered from an attacker's location, which of the following are the FIRST things to capture? (Select TWO).
Options
- ARemovable media
- BPasswords written on scrap paper
- CSnapshots of data on the monitor
- DDocuments on the printer
- EVolatile system memory
- FSystem hard drive
Explanation
Digital forensics follows the order of volatility, requiring investigators to capture the most transient data first before it is permanently lost.
Common mistakes.
- A. Removable media is non-volatile storage that retains data without power and can be collected safely after more volatile evidence is secured.
- B. Passwords written on paper are stable physical artifacts that will not change or disappear due to system state changes, so they are lower priority than volatile digital evidence.
- D. Documents on the printer are stable physical items that can be collected after volatile digital evidence without risk of data loss.
- F. The system hard drive is non-volatile persistent storage and is imaged after volatile memory and on-screen data per the standard order of volatility.
Concept tested. Digital forensics order of volatility
Reference. https://www.nist.gov/publications/guide-integrating-forensic-techniques-incident-response
Community Discussion
No community discussion yet for this question.