What is some of the volatile information you would retrieve from a computer system before powering it off on?

If you’re planning on taking the CyberSec First Responder (CFR) exam, you should understand order of volatility. For example, can you answer this question?

Q. Consider the following computer elements that can contain data used for digital forensics.

• Printout
• CPU cache
• SSD
• Virtual memory

Which of the following accurately identifies the correct order of volatility from most volatile to least volatile?

A. Printout, CPU cache, SSD, virtual memory

B. CPU cache, printout, virtual memory, SSD

C. SSD, virtual memory, printout, CPU cache

D. CPU cache, virtual memory, SSD, printout

More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.

In forensics, order of volatility refers to the order in which you should collect evidence. Highly volatile data is easily lost, such as data in memory when you turn off a computer. Less volatile data, such as printouts, is relatively permanent and the least volatile. The following graphic shows the order of volatility from most volatile to least volatile.

Domain 10 of the CyberSec First Responder objectives (Investigating Cybersecurity Incidents) specifically mentions securely collecting electronic evidence. This is an extremely important concept for first responders. Without the proper knowledge, they can easily destroy potential evidence.

If you took the Security+ exam, this should be familiar. However, it is so important you’ll find it repeated in almost any IT security certification exam.

Caches and Registers

Data in memory is the most volatile. This includes data in central processor unit (CPU) registers, caches, and system random access memory (RAM).

The data in cache and CPU registers is the most volatile, mostly because the storage space is so small. Just by performing actions with the computer, you can flush the data out of this space. Data in memory will likely stay there longer.

However, if you power down the computer, you will lose all the data in registers, CPU caches, and RAM.

Virtual Memory

Virtual memory is also known as a swap file or a paging file. It is a file stored on the system disk drive and extends the amount of RAM available to a computer. Because it is on the disk drive, it is less volatile than RAM and won’t necessarily be lost if the computer is turned off.

However, the swap file is rebuilt when the computer is powered back on. In other words, if you reboot the computer, you lose the virtual memory.

Disk Drives

Data files stored on disk drives will remain there until steps are taken to erase them, or the disk drive fails. This includes traditional hard disk drives, flash drives, and solid state drives (SSDs). It’s worth mentioning that even when users delete files, forensic tools can retrieve them in many situations.

Backups and Printouts

Data stored on backups or printouts are the least volatile. This includes traditional backup methods such as magnetic tapes and other methods such as optical discs.

What About Remote Network Data?

Remote network data is external to the computer of interest. It can include items such as network cache and remote logs.

Network cache is data stored on a system accessible by computers in the network. For example, a proxy server includes cached Web pages that can be served to a computer without retrieving it from the Internet again. This can be useful if you want to view exactly what the user viewed.

Even though the network cache is not stored on the system computer, it is volatile and won’t stay on the network computer forever. For the CFR exam, you can think of network cache at about the same level of volatility as virtual memory. It is less volatile than RAM on the system computer, but more volatile than traditional data stored on disk drives.

The following graphic shows the relative volatility of network cache and remote logs, when compared to other elements referenced in the CFR exam.

Remote logs are any logs stored on remote systems. This includes logs on firewalls, intrusion detection systems, and proxy servers. For comparison, a proxy server log will show the URL of a website that a user visited, but the proxy cache will contain the exact page as it looked when the user visited it.

Of course, logs don’t look exactly like they’re represented in the graphic. However, seeing the logs on fire provides a good reminder that nothing is completely non-volatile. It’s still important to create forensically sound copies, and protect all collected data.

Order of Volatility Summary

First responders need to understand the order of volatility, to ensure they protect any potential evidence. The most volatile data includes data in CPU registers, caches, and memory. It is lost if the computer is rebooted. Virtual memory (a swap file) is stored on a disk drive, but is rebuilt when the computer is rebooted. For the CFR exam, Network cache is on about the same level of volatility as a virtual memory. Data on disk drives will stay there, often even after a user attempts to delete it. Backups on tapes and optical discs are have a very low level of volatility. Similarly, remote logs have a very low level of volatility.

Q. Consider the following computer elements that can contain data used for digital forensics.

• Printout
• CPU cache
• SSD
• Virtual memory

Which of the following accurately identifies the correct order of volatility from most volatile to least volatile?

A. Printout, CPU cache, SSD, virtual memory

B. CPU cache, printout, virtual memory, SSD

C. SSD, virtual memory, printout, CPU cache

D. CPU cache, virtual memory, SSD, printout

Answer is D. The correct order from most volatile to least volatile is central processor unit (CPU) cache, virtual memory (a file on the hard drive), solid state drive (SSD), and a printout.

A printout is semi-permanent (unless it’s burned or shredded) so it is the least volatile making all of the other answers incorrect.

Check out this post for more information about the CyberSec First Responder exam.

This post documents my experience taking and passing the CyberSec First Responder Exam. It also includes simple steps you can take to study for and pass this exam.

Check out this post for another sample CFR practice test question.