When collecting data during a live incident, which data type should be prioritized due to volatility?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $25.99Unlock all

Study for the Cybercrime Test. Use flashcards and multiple choice questions, each with hints and explanations, to prepare for your exam! Master cybercrime prevention and stay ahead of threats.

Multiple Choice

When collecting data during a live incident, which data type should be prioritized due to volatility?

Explanation:
When collecting data during a live incident, you prioritize volatile data—what’s currently in RAM. RAM contents are lost as soon as power is removed, so capturing them right away preserves memory-resident information such as running processes, loaded modules, active network connections, opened files, and in some cases credentials or encryption keys kept in memory. This snapshot helps you understand what the attacker did, what malware is doing in memory, and how the system state evolved in real time. Hard disk images, email archives, and remotely stored network logs are valuable, but they are non-volatile and can be collected after you’ve preserved the volatile evidence. They won’t vanish immediately when the incident occurs, so they’re important to gather as follow-up, once memory has been captured.

When collecting data during a live incident, you prioritize volatile data—what’s currently in RAM. RAM contents are lost as soon as power is removed, so capturing them right away preserves memory-resident information such as running processes, loaded modules, active network connections, opened files, and in some cases credentials or encryption keys kept in memory. This snapshot helps you understand what the attacker did, what malware is doing in memory, and how the system state evolved in real time.

Hard disk images, email archives, and remotely stored network logs are valuable, but they are non-volatile and can be collected after you’ve preserved the volatile evidence. They won’t vanish immediately when the incident occurs, so they’re important to gather as follow-up, once memory has been captured.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy