RFC 3227
Definition
Guidelines for Evidence Collection and Archiving, published by the IETF in February 2002. It defines the order of volatility, the documentation requirements for live evidence collection, and the principle that the collection process should alter evidence as little as possible.
Related terms
- Chain of custody
- The documented chronological record of who collected, handled, transferred, and examined a piece of evidence. For digital evidence, chain of custody includes...
- Live response
- The process of collecting evidence and triage data from a running system without first powering it down. Preserves volatile artefacts that would...
- Memory-resident malware
- Malicious code that executes entirely in RAM and writes no files to disk. Fileless malware, PowerShell-based loaders, and certain rootkits fall into...
- Non-volatile data
- Data that persists without power, such as files on a hard disk, SSD, or optical media, and data in non-volatile memory chips....
- Volatile data
- Any digital information that is lost when power is removed or the system state changes. Examples include RAM contents, CPU register values,...
Explained in
- Volatile Data and the Order of VolatilityGuidelines for Evidence Collection and Archiving, published by the IETF in February 2002. It defines the order of volatility, the documentation requirements fo...