A digital forensics investigator works from duplicate images to preserve the integrity of the original evidence. Which of the following types of media are MOST volatile and should be preserved? (Choose two.)
Memory cache and temporary filesystems are considered the most volatile types of media because they contain information that can be easily overwritten or lost when the system is restarted or powered off. Memory cache, also known as RAM, is used to temporarily store data and commands that are frequently accessed by the computer's processor. This data is not permanently stored on the computer's hard drive, making it vulnerable to being lost or overwritten when the system is restarted.
Temporary filesystems, also known as temp files, are used to store data that is temporarily needed for a specific process or task. These files are not meant to be permanent and are usually deleted when the task is completed. However, in some cases, these files may contain important information that is relevant to a digital forensics investigation. If not properly preserved, this data can be easily lost or overwritten, making it important for the digital forensics investigator to preserve these types of media.
Comptia....for an old Sec+ the answer for such a question had the option for Swap/Temp files...wonder if they actually have an engineer look over their questions or just bureaucrats...
Temporary filesystems are another type of volatile storage that are used to store temporary data and files. They are typically used by applications during runtime and may contain important data that can be lost when the system is shut down or restarted.
The main reference as seen from the book for order of volatility can be seen here:
The ISOC best practice guide to evidence collection and archiving, published as tools.ietf.org/html/rfc3227
Based on the order of volatility, memory cache is first and then swap volume (i.e. paging file for windows), because both can be erased when rebooting. https://blogs.getcertifiedgetahead.com/cfr-and-order-of-volatility/
I am torn on this one, we know Memory Cache is a given. so we are left with Swap volume (swap space) or Temp files. I would lean to Temp files since most of what you would need besides that is Cache.
References:
NIST SP 800-86, Guide to Integrating Forensic Techniques into Incident Response
SANS Institute, Digital Forensics and Incident Response (DFIR) Fundamentals Course.
This is a tricky one - both the swap file and the temporary files are highly volatile - I don't know which would be be put above the other and I can't find any reference that specifies this.
upvoted 1 times
...
This section is not available anymore. Please use the main Exam Page.CS0-002 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
gnnggnnggnng
Highly Voted 2 years, 2 months agokarpal
Highly Voted 1 year, 10 months agoDree_Dogg
Most Recent 1 year, 7 months agoBig_Dre
1 year, 7 months agoBubu3k
1 year, 8 months agoNixon333
1 year, 8 months agoSleezyglizzy
1 year, 9 months agonomad421
1 year, 9 months agokiduuu
1 year, 11 months agokhrid4
2 years agoNuke2020
2 years ago2Fish
2 years, 1 month agoIanRogerStewart
2 years, 2 months agognnggnnggnng
2 years, 2 months agoIanRogerStewart
2 years, 2 months ago