Information Technology Specialist (ITS) Cybersecurity Practice Exam

What is the correct order for collecting digital evidence from a computer system?

• A. Contents of Fixed Disk, Archived Backup, Contents of RAM
• B. Contents of RAM, Archived Backup, Contents of Fixed Disk
• C. Archived Backup, Contents of RAM, Contents of Fixed Disk
• D. Contents of RAM, Contents of Fixed Disk, Archived Backup

The correct answer is: Contents of RAM, Contents of Fixed Disk, Archived Backup

The correct order for collecting digital evidence prioritizes the volatility of the data and the potential for data loss. First, the contents of RAM should be collected. RAM (Random Access Memory) is volatile, meaning it loses all its stored data when the power is turned off. Collecting the data in RAM first ensures that valuable and time-sensitive information, such as active sessions, running processes, and unsaved data, is preserved before any changes to the system can occur. Next, the contents of the fixed disk are collected. Unlike RAM, the fixed disk (or hard drive) retains data even when the computer is powered off, making it less volatile. However, it is still important to collect this evidence promptly, as changes to the system could occur due to various factors, such as software updates, automatic processes, or malware. Finally, archived backups should be collected. These backups are typically stored in less volatile environments and can be accessed later without immediate urgency. By collecting the archived backups last, the forensic investigator ensures that they are preserving the original state of the system and not inadvertently altering or overwriting any evidence. This approach guarantees that the most volatile and critical evidence is secured first, minimizing the risk of data loss as the evidence collection process continues.