Which of the following types of digital evidence is temporarily stored in a digital device that requires constant power supply and is deleted if the power supply is interrupted?
Process memory (RAM) is a type of digital evidence that is temporarily stored and requires a constant power supply to retain information. If the power supply is interrupted, the information stored in process memory is lost. This type of evidence can include data about running programs, user actions, system events, and more, making it crucial for forensic analysis, especially in identifying actions taken by both users and malware. Collecting data from process memory helps incident responders understand the state of the system at the time of an incident and can reveal valuable information that is not persisted elsewhere on the device.
References:Incident handling and response training, such as the CREST CPTIA program, emphasize the importance of collecting and analyzing volatile data, including process memory, to effectively investigate and respond to cybersecurity incidents.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit