Chapter 3. Volatile Data Collection

This chapter is dedicated to some issues that are related to the acquisition of data, which has changed very fast. Due to its nature, it reflects the state of the system at a certain time because the collection of data takes place on a live system.

The Request for Comments RFC 3227 document provides a list of digital evidence and the order in which it should be collected. The main principle that should guide this is that the most rapidly changing data should be collected first.

The list of evidence from RFC comprises the following:

  • Registers and cache CPU
  • Routing table, ARP cache, process table, kernel statistics, and memory
  • Temporary filesystems
  • Disk
  • Remote logging and monitoring data that is relevant to the system's ...

Get Practical Windows Forensics now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.