During an incident investigation, a forensic analyst needs to collect volatile data from a compromised Windows server before it is shut down. Which data should be collected first based on order of volatility?

Question

Accepted Answer

A. Running processes and active network connections in memory. The order of volatility principle in digital forensics requires collecting the most volatile (shortest-lived) data first. Running processes and active network connections in RAM are lost when a system is powered down and must be collected first. The CySA+ exam objectives cover forensic analysis under the incident management lifecycle. Hard disk data, logs, and backups are persistent and remain available after shutdown.

During an incident investigation, a forensic analyst needs to collect volatile data from a compromised Windows server before it is shut down. Which data should be collected first based on order of volatility?

Related Questions

Discussion