Volatile vs non-volatile data acquisition represents a fundamental distinction in computer and cyber forensics, where volatile data risks immediate loss upon power cycle while non-volatile data persists reliably on storage media.
This prioritization guides investigators to capture ephemeral evidence like RAM contents first, followed by stable disk images, ensuring comprehensive coverage without unnecessary system disruption.
Understanding these categories enables efficient, forensically sound strategies tailored to incident urgency and system constraints.
Defining Volatile and Non-Volatile Data
Volatile data exists only in active memory and powered states, vanishing with shutdowns or crashes. Non-volatile data remains intact on physical storage regardless of power status.
Note: Volatility classification follows a hierarchy, dictating acquisition order to preserve time-sensitive clues.
1. Volatile data: RAM, CPU caches, running processes, network connections, mounted volumes.
2. Non-volatile data: Hard drives, SSDs, USBs, file systems, persistent logs.
This hierarchy ensures critical runtime artifacts survive for analysis.
Volatile Data Acquisition Techniques
Live systems demand rapid, minimal-impact capture to avoid altering evidence.
Note: Performed on running endpoints/servers; tools minimize footprint.
1. Memory dumping: Tools like Volatility or WinPMEM create RAM images for process/malware analysis.
2. Process and service enumeration: netstat, pslist capture running executables, command lines.
3. Network state: Capture open connections, ARP tables, listening ports via scripts.
4. System state: Screenshots, clipboard contents, mounted drives lists.
5. Sequence: RAM first (highest volatility), then processes/network, before shutdown. Agents like Velociraptor automate across fleets.
Non-Volatile Data Acquisition Methods
Stable media allows methodical imaging post-volatiles.
Note: Dead acquisition preferred for integrity; uses write-blockers.
1. Full disk imaging: Bit-for-bit copies (dd, FTK Imager) including unallocated space.
2. Logical extraction: Active files/logs only (faster for large drives).
3. Partition-specific: Target volumes via mount points.
Verification: SHA-256 hashes match source/copy; document tools/parameters.
Strategic Acquisition Order (Volatility Tiers)
Follow established tiers to optimize preservation.
Note: Based on NIST/SANS models, tier 1 loses fastest.
Tier 1 (Highest volatility): Physical memory, CPU registers.
Tier 2: Network connections, running processes.
Tier 3: Disk caches, swap files.
Tier 4: Persistent storage (HDD/SSD).
Workflow: Live response → Power down → Image non-volatiles. Servers may require hybrid (live volatiles + hot-swap disks).
Challenges and Best Practices
Each category presents unique hurdles addressed through preparation.
Note: Balance completeness with minimal alteration.
Pitfalls: Shutdown without volatiles (loses malware hooks), incomplete hashes.
Integration in Full Investigations
Volatile data reveals runtime attacks (injected DLLs, C2 channels); non-volatile provides persistence (dropped files, timelines). Correlate via timestamps—RAM process start matches prefetch artifacts.
In ransomware scenarios: Volatile network connections trace C2; non-volatile $LogFile shows encryption sequence. Modern tools blend tiers seamlessly, but principles ensure defensibility.
