SY0-501 Question #68: Real Exam Question with Answer & Explanation

Question

A member of a digital forensics team, Joe arrives at a crime scene and is preparing to collect system data. Before powering the system off, Joe knows that he must collect the most volatile date first. Which of the following is the correct order in which Joe should collect the data?

Options

• ACPU cache, paging/swap files, RAM, remote logging data
• BRAM, CPU cache. Remote logging data, paging/swap files
• CPaging/swap files, CPU cache, RAM, remote logging data
• DCPU cache, RAM, paging/swap files, remote logging data

Explanation

Digital forensics requires collecting evidence in order of volatility, from most to least volatile, to preserve data that is most likely to be lost first. The correct order follows the forensic principle of capturing ephemeral data before more persistent data.

Common mistakes.

• A. This order is incorrect because it places paging/swap files before RAM, when RAM is significantly more volatile than swap files since swap files reside on persistent disk storage while RAM is entirely lost on power-off.
• B. This order is incorrect because it lists RAM before CPU cache, when CPU cache (registers and L1/L2/L3 cache) is more volatile and should be captured first before RAM contents are collected.
• C. This order is incorrect because paging/swap files are placed first despite being stored on disk and therefore less volatile than both CPU cache and RAM, which are entirely memory-resident and lost immediately upon power loss.

Concept tested. Digital forensics order of volatility data collection

Reference. https://www.rfc-editor.org/rfc/rfc3227

No community discussion yet for this question.