Which of the following is the correct order of volatility from most to least volatile

Which of the following is the correct order of volatility from MOST to LEAST volatile?

• A. Memory, temporary filesystems, routing tables, disk, network storage
• B. Cache, memory, temporary filesystems, disk, archival media
• C. Memory, disk, temporary filesystems, cache, archival media
• D. Cache, disk, temporary filesystems, network storage, archival media

Suggested Answer: B 🗳️

A member of a digital forensics team, Joe arrives at a crime scene and is preparing to collect system data. Before powering the system off, Joe knows that he must collect the most volatile date first. Which of the following is the correct order in which Joe should collect the data?

A. CPU cache, paging/swap files, RAM, remote logging data

B. RAM, CPU cache. Remote logging data, paging/swap files

C. Paging/swap files, CPU cache, RAM, remote logging data

D. CPU cache, RAM, paging/swap files, remote logging data

I chose D, but according to the site where I found this, they say it's B.

Order of volatility is one of the several processes that a computer forensics examiner must follow during evidence collecting. When collecting digital evidence, an examiner will enter the results that are most likely to vanish first, often known as the most volatile data. After then, the examiner will acquire the next most volatile piece of digital evidence until no more evidence is available. In a nutshell, this illustrates the order of volatility.

In this post, we will discuss the CompTIA order of volatility. Let’s dive in!

On this website, we provide thousands of free CompTIA Secutiry+ practice test questions to help users easily prepare and familiarize themself with the test format. If you’re planning to get your cert, do not hesitate to take it!

What is the order of volatility?

In forensics, the order of volatility includes a sequence in which evidence should be gathered. Highly volatile data, such as data in memory, is easily lost when a machine is turned off. Printouts, for example, are more persistent and less volatile than data that is less volatile. The graph below illustrates the order of volatility in computer forensics from most to least volatile. 

Securely collecting electronic evidence is mentioned in Domain 10 of the CyberSec First Responder goals (Investigating Cybersecurity Incidents). This is an important concept for first responders to understand. If they don’t have the correct understanding, they can swiftly remove possible proof.

This should be known if you took the Security+ test. Despite this, it is so important that it appears in almost every IT security certification exam.

Caches and registers

Memory data is the most volatile. Information in CPU registers, caches, and system random access memory (SRAM) is included (RAM).

Data in cache and CPU registers is the most volatile due to the limited storage space. You can flush the data out of this space simply by executing activities on the machine. Data stored in memory is likely to be retained for a longer amount of time.

However, if you turn off the computer, all data in registers, CPU caches, and RAM will be lost.

Virtual memory

A swap file or paging file is virtual memory. It is a file that is saved on the system disc drive that allows a computer to have more RAM. It is less volatile than RAM because it is stored on the hard drive and will not be lost if the machine is switched off.

When the machine is turned back on, the swap file is rebuilt. In other words, if the machine is restarted, the virtual memory is lost.

Disk drives

Data files saved on hard drives will remain there until they are erased or the hard drive fails. Traditional hard disc drives, flash drives, and solid-state drives are all examples of this (SSDs). It’s worth noting that forensic technologies can often recover files that have been deleted by users.

Read more >> Commands to know for Security+

Backups and printouts

The least volatile data is saved on backups or printouts. This includes both classic backup methods like magnetic tapes and non-traditional backup methods like optical discs.

What about data from a remote network?

Data from a remote network is not stored on the computer in question. It can contain things like network cache and remote logs.

Data saved on a system that is accessible by computers on a network is referred to as a network cache. A proxy server, for example, may have cached Web pages that may be served to a computer without having to reload them from the Internet. If you want to see exactly what the user saw, this is a good option.

Despite the fact that the network cache is not stored on the system computer, it is volatile and will not last indefinitely on the network computer. You may think of network cache as having about the same level of volatility as virtual memory for the CFR test. It is less volatile than the system computer’s RAM but more volatile than data saved on disc drives.

When compared to other elements mentioned in the CFR test, the following graph depicts the relative volatility of network cache and remote logs.

Any logs kept on remote systems are referred to as remote logs. Firewall logs, intrusion detection systems logs, and proxy server logs are all examples of this. A proxy server log, for example, will reveal the URL of a website that a user accessed, whereas the proxy cache will contain the exact page that the user saw.

Of course, logs don’t appear exactly like they do in the illustration. Seeing the logs on the fire, on the other hand, serves as an excellent reminder that nothing is absolutely non-volatile. It’s still critical to make forensically sound copies and safeguard all data gathered.

Volatile or temporary memory

Volatile Memory is the memory hardware that fetches and saves data quickly. Temporary memory is another name for it. The data in the volatile memory is stored for as long as the system is operational, but once the system is shut off, the data is automatically erased. Volatile memory includes things like RAM (Random Access Memory) and cache memory. 

The majority of RAM (random access memory) utilized in personal computers for primary storage is volatile memory. RAM is faster to read and write to than other types of computer storage, such as a hard disc or portable media. The data in RAM, on the other hand, only exists while the computer is running; when the machine is turned off, RAM loses its contents.

Non-volatile memory, on the other hand, does not lose its content when power is lost. Non-volatile memory has a constant supply of power and does not require its memory information to be refreshed on a regular basis.

The bottom line

To secure any potential evidence, first responders must grasp the order of volatility. Data in CPU registers, caches, and memory is the most volatile. If the machine is restarted, it is lost.

Virtual memory (also known as a swap file) is saved on a hard drive, but it is rebuilt every time the machine is turned on. Network cache has about the same level of volatility as virtual memory for the CFR test.

Even if a person tries to remove data from a disc drive, it will remain there.

The volatility of backups on tapes and optical discs is extremely low. Remote logs, on the other hand, have a very low level of volatility.

Read more >> Security+ performance-based questions

Candidates must also be familiar with a variety of other basic forensic processes in order to pass the Security+ exam. CompTIA order of volatility is one of them. Everything you need to know about it is covered in the above article. We hope it is of use to you. Thanks!

What is the order of volatility?

Which of the following is the correct order of volatility from most to least?

What type of evidence has the lowest priority in order of volatility?

Is RAM more volatile than CPU cache?