The Order of Volatility
The Order of Volatility
RFC 3227 establishes the order of volatility, guiding collection priorities based on how quickly evidence may be lost:
- CPU Registers and Cache: Nanoseconds
- System Memory (RAM): Lost on power down
- Network State: Seconds to minutes
- Running Processes: Minutes to hours
- Disk Storage: Days to years
- Backup Media: Years to decades
- Printed Documentation: Decades
This hierarchy drives collection procedures, emphasizing the need to capture volatile data before moving to more persistent sources.