What is the difference between volatile and non-volatile data in incident response?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Study for the SANS Advanced Incident Response, Threat Hunting, and Digital Forensics (FOR508) Test. Prepare with comprehensive materials, flashcards, and multiple choice questions with hints and explanations. Ace your exam with confidence!

Multiple Choice

What is the difference between volatile and non-volatile data in incident response?

Explanation:
Volatile data refers to information that only exists in the system’s temporary memory (RAM) and is lost when power is removed or the system reboots. This includes the current state of running processes, open network connections, loaded modules, running services, and other memory-resident artifacts. Because it can disappear in an instant, responders capture memory first using memory dumps or live-response tools to preserve it before turning off or rebooting the machine. Non-volatile data sits on persistent storage such as disks or solid-state drives and remains intact across reboots. This category covers files, logs, registry hives, configuration data, installed software, and other artifacts stored on disk. Analyzing non-volatile data provides a longer-term view of what happened and is typically done after imaging the disk or collecting file-based evidence. The principle you’re after is that memory is ephemeral and must be acquired first, while disk/drive contents persist and can be analyzed later. Cloud or VM contexts still follow the same idea: RAM is volatile, disk volumes are non-volatile.

Volatile data refers to information that only exists in the system’s temporary memory (RAM) and is lost when power is removed or the system reboots. This includes the current state of running processes, open network connections, loaded modules, running services, and other memory-resident artifacts. Because it can disappear in an instant, responders capture memory first using memory dumps or live-response tools to preserve it before turning off or rebooting the machine.

Non-volatile data sits on persistent storage such as disks or solid-state drives and remains intact across reboots. This category covers files, logs, registry hives, configuration data, installed software, and other artifacts stored on disk. Analyzing non-volatile data provides a longer-term view of what happened and is typically done after imaging the disk or collecting file-based evidence.

The principle you’re after is that memory is ephemeral and must be acquired first, while disk/drive contents persist and can be analyzed later. Cloud or VM contexts still follow the same idea: RAM is volatile, disk volumes are non-volatile.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy