From the course: Incident Response: Evidence Collection in Windows
Unlock the full course today
Join today to access over 22,600 courses taught by industry experts or purchase this course individually.
Volatile and nonvolatile data
From the course: Incident Response: Evidence Collection in Windows
Volatile and nonvolatile data
- [Instructor] While collecting physical evidence is pretty easy, collecting virtual evidence is much more difficult. For example, if you want to collect files from a hard drive, you have to be concerned with whether those files will be changed by your collection actions. This becomes an even bigger challenge when you're dealing with memory or network data, because these are extremely volatile as you're trying to collect them. Now, data can either be volatile or non-volatile. Volatile data is any data that's stored in memory, or exists in transit. And that can be lost when a computer powers down or is turned off. Volatile data resides in registries, cache, and random access memory. Essentially, volatile data is easily changed, and therefore, we want to make sure we collect it first. Non-volatile data on the other hand is any data that can be retrieved even after the computer loses power or is turned off. This data…
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Contents
-
-
-
-
(Locked)
Evidence collection2m 12s
-
(Locked)
Volatile and nonvolatile data5m 45s
-
(Locked)
Acquiring a memory image in Windows2m 24s
-
(Locked)
Acquiring a memory image in Windows in DumpIt2m 8s
-
(Locked)
Using CryptCat and Tee3m 51s
-
(Locked)
Collecting the data/time of the victim2m 42s
-
(Locked)
Documenting the logged on users1m 22s
-
(Locked)
Documenting open network connections3m 11s
-
(Locked)
Documenting the running processes2m 24s
-
(Locked)
Documenting any shared files1m 11s
-
(Locked)
-
-
-
-
-