What are the differences between 'disk-based forensics' and 'memory-based forensics,' including typical artifacts?

Disk-based forensics focuses on data at rest stored on disks and relies on artifacts that persist on disk, such as file system metadata and on-disk structures like registry hives and the NTFS Master File Table. Memory-based forensics captures volatile data from RAM, showing the system’s live state: which processes are running, open network connections, loaded modules, and credentials or tokens resident in memory. Because memory contents are transient, acquiring RAM must happen before power is lost to preserve this data, while disk analysis can be done from a copy later but won’t reflect the current active state. In practice, disk forensics reveals what existed on disk and how it was organized (files, timestamps, on-disk artifacts), whereas memory forensics reveals what the system was doing at the moment of capture (active processes, network activity, loaded libraries, secrets in memory). The other statements don’t fit because they misstate where artifacts come from or how memory and disk data relate to each other.