The correct answer is D. Routing table. The routing table is volatile technical evidence because it is stored in memory and can change or be lost when the system is isolated, powered down, rebooted, or otherwise modified. In incident response and forensics, volatile evidence must be collected before less volatile evidence.
Exact supporting extract: the Sybex CySA+ Practice Tests explanation states that routing tables are typically stored in RAM, making them highly volatile. It also explains the order of volatility from least to most volatile as backups/printouts, disk drives, virtual memory, and finally CPU cache, registers, and RAM.
The Sybex CySA+ Study Guide states that forensic acquisition must account for the order of volatility, meaning how easily data can be lost. It explains that memory and cache data are highly volatile and may be lost if the system is powered off, while disk data is much less volatile.
The Secbay CySA+ guide also states that the order of volatility must be followed because failing to do so will likely result in evidence being lost. It specifically notes that volatile data is kept in areas such as CPU cache and memory, while archived media persists for much longer.
Why the other options are incorrect:
A. Hard disk is persistent storage and can be imaged later using forensic procedures.
B. Primary boot partition is also persistent disk evidence.
C. Malicious files are important, but files on disk are less volatile than memory-resident network state.
E. Static IP address is configuration information and is not as volatile as the active routing table.
D is correct because the routing table should be captured before isolation changes the server’s active network state.
Submit