This blog is about the data or artifacts, or evidence mean volatile and non-volatile. This data how is use it for investigation. I explain step by step what volatile and non-volatile data is.
Volatile Data
Volatile data is available in the Memory (Random Access Memory), when you are shutdown computer, then all volatile data is lost.
What information includes in computer--
system Time
Logged on user
Network Information
Open Files
Network Connection
Network Status
Process Infromation
Process-to-port mapping
Process memory
Mapped drivers
Shares
Clipboard Contents
Service/driver information
Command history
Volatile data is any data that is stored in memory, or exists in transit, that will be lost when the computer loses power or is turned off. Volatile data resides in registries, cache, and random access memory (RAM). The investigation of this volatile data is called “live forensics”
Volatile data could provide evidence of system or Internet activity which may assist in providing evidence of illegal activity or, for example, whether files or an external device was being accessed on that date, which may help to provide evidence in cases involving data theft.
Non-Volatile Data
Nonvolatile data is a type of digital information that is persistently stored within a file system on some form of electronic medium that is preserved in a specific state when power is removed. Contained within a file system is commonly the largest and richest source of potential digital evidence that can be analyzed during a forensic investigation.
Non-volatile data storage can be classified into two types:
Mechanically addressed systems
Electrically addressed systems
Other Non-Volatile Information:
Web Browser Cache
Cookies
Temporary Files
Comments