Volatile data

Related terms

Chain of custody

The documented chronological record of who collected, handled, transferred, and examined a piece of evidence. For digital evidence, chain of custody includes...

Live acquisition

Forensic data collection performed on a running, powered-on system. Captures volatile data and allows imaging of encrypted volumes while decryption keys are...

Live response

The process of collecting evidence and triage data from a running system without first powering it down. Preserves volatile artefacts that would...

Memory-resident malware

Malicious code that executes entirely in RAM and writes no files to disk. Fileless malware, PowerShell-based loaders, and certain rootkits fall into...

Non-volatile data

Data that persists without power, such as files on a hard disk, SSD, or optical media, and data in non-volatile memory chips....

Preservation order

A legal instrument directing a service provider to retain specific data for a defined period pending receipt of a production order or...

RFC 3227

Guidelines for Evidence Collection and Archiving, published by the IETF in February 2002. It defines the order of volatility, the documentation requirements...

Triage

The structured process of evaluating an alert to determine whether it is a genuine security incident and, if so, what severity level...

Write blocker

A hardware or software device interposed between a digital storage medium and the forensic workstation that prevents any write commands from reaching...

Explained in these topics

• Intake, Scoping and Evidence PreservationData that exists only while a system is powered on and running: RAM contents, running processes, active network connections, open file handles, logged-in sessi...
• Volatile Data and the Order of VolatilityAny digital information that is lost when power is removed or the system state changes. Examples include RAM contents, CPU register values, active network conn...