When performing data acquisition on a workstation, which of the following should be captured based on memory volatility? (Choose two.)
Click on the arrows to vote for the correct answer
A. B. C. D. E.BE.
When performing data acquisition on a workstation, it is important to capture information that is volatile in memory. This information can include processes, network connections, and other data that may not be stored on the hard disk.
The two options that are based on memory volatility are:
E. RAM - RAM (Random Access Memory) is volatile memory that stores data temporarily while the system is running. Any data that is currently being used by the system or applications is stored in RAM. RAM data is lost when the computer is turned off or restarted. Capturing the RAM can help to preserve data that may be lost when the system is shut down.
B. Swap/pagefile - A swap file or pagefile is a portion of the hard disk that is used as virtual memory when RAM is full. Data that is swapped to the pagefile can include information about running processes and applications. Capturing the pagefile can help to preserve information about the system's state at the time of acquisition.
Option A - A USB-attached hard disk, option C - Mounted network storage, and option D - ROM are not based on memory volatility and are not likely to contain data that could be lost when the system is shut down.