Order of Volatility and Acquisition Choices
Key Takeaways
- Order of volatility prioritizes evidence that disappears fastest, such as CPU state, memory, network state, and running processes.
- Acquisition choices depend on incident goals, system state, legal requirements, business impact, and evidence volatility.
- Live acquisition can preserve volatile evidence but may change the system.
- Dead-box acquisition can reduce system changes but loses volatile state.
- Responders should document acquisition methods, tools, timestamps, hashes, and limitations.
Order of Volatility and Acquisition Choices
Order of volatility means collecting the most temporary evidence first. Some evidence disappears as soon as a system is powered off. Other evidence may remain for months. The investigator should prioritize what is most likely to vanish while still considering safety, authorization, and business impact.
Volatility Examples
| More volatile | Less volatile |
|---|---|
| CPU registers and cache | Backups and archived logs |
| Running processes | Disk files |
| RAM contents | Installed applications |
| Active network connections | Printed documentation |
| Temporary files | Long-term storage |
| Routing and ARP tables | Offline disk images |
Security+ questions may not require deep tool knowledge. They often test whether you understand that memory, running processes, and active network connections should be captured before powering off or reimaging a system.
Acquisition Choices
| Choice | When useful | Risk or limitation |
|---|---|---|
| Memory capture | Malware may be fileless, keys may be in RAM, process state matters | Running a tool changes the system |
| Live response commands | Need active network connections, logged-in users, running processes | Commands can alter timestamps or state |
| Disk image | Need deleted files, persistence, file metadata, offline analysis | May miss activity that existed only in memory |
| Log export | Need identity, network, cloud, or application timeline | Logs may be incomplete or normalized differently |
| Packet capture | Need traffic content or protocol details | Encrypted traffic may limit visibility |
| Snapshot | Cloud or virtual systems need quick preservation | Snapshot consistency depends on platform and timing |
PBQ-Style Scenario
A server is still powered on. EDR reports a suspicious process, and firewall logs show active outbound connections. Legal has approved evidence collection. The system is not safety critical.
Reasonable order:
1. Photograph or record visible state and basic system details.
2. Capture volatile data such as memory, running processes, logged-in users, and network connections.
3. Export relevant logs from endpoint, identity, firewall, and application sources.
4. Acquire a forensic disk image or platform snapshot.
5. Hash and secure collected evidence.
6. Analyze verified copies.
If the same server controlled life safety or industrial equipment, the decision could change. Safety and operational risk may override ideal evidence order. That is why incident response involves business and technical owners.
Live Versus Dead-Box
Live acquisition collects evidence from a running system. It is useful for volatile state but can change the system. Dead-box acquisition powers down or removes media for imaging. It can protect disk evidence but loses memory and active network details.
The right choice depends on what question must be answered. If the investigation needs encryption keys, injected processes, or active connections, live capture may be important. If the system is already powered off, do not power it on casually just to look around. That may change evidence.
Common Traps
- Pulling the plug before considering memory and active connections.
- Running many unapproved tools on the original system without documentation.
- Capturing a disk image but forgetting cloud logs where the activity occurred.
- Failing to record tool versions and timestamps.
- Assuming acquisition is perfect and not documenting limitations.
- Powering on a seized laptop without a forensic plan.
PBQ style: A running workstation is suspected of fileless malware. Place evidence collection steps in a defensible order.
Arrange the items in the correct order
Why might an investigator perform live acquisition?
A laptop is already powered off and is needed for a formal investigation. What is the safest general approach?