Define volatile data and its relevance in live digital investigations.

Volatile data is information stored in RAM that only exists while the system is powered on. It can be lost as soon as power is removed, so it must be captured quickly in a live investigation. This data shows the system’s current state: what processes are running, active network connections, files currently open, and memory-resident credentials or encryption keys. Because memory contents can change rapidly or be overwritten, investigators aim to image or collect this volatile data before shutdown to preserve a snapshot of the live activity. Non-volatile data on disk, encrypted at rest, or cloud backups persists beyond power cycles and doesn’t carry the same time-sensitive value for understanding the immediate state of the system.