From the course: Incident Response: Evidence Collection in Windows

Unlock the full course today

Join today to access over 22,600 courses taught by industry experts or purchase this course individually.

Volatile and nonvolatile data

Volatile and nonvolatile data

From the course: Incident Response: Evidence Collection in Windows

Start my 1-month free trial

Volatile and nonvolatile data

- [Instructor] While collecting physical evidence is pretty easy, collecting virtual evidence is much more difficult. For example, if you want to collect files from a hard drive, you have to be concerned with whether those files will be changed by your collection actions. This becomes an even bigger challenge when you're dealing with memory or network data, because these are extremely volatile as you're trying to collect them. Now, data can either be volatile or non-volatile. Volatile data is any data that's stored in memory, or exists in transit. And that can be lost when a computer powers down or is turned off. Volatile data resides in registries, cache, and random access memory. Essentially, volatile data is easily changed, and therefore, we want to make sure we collect it first. Non-volatile data on the other hand is any data that can be retrieved even after the computer loses power or is turned off. This data…

Contents