Of the following pieces of digital evidence, which would be collected FIRST from a live system involved in an incident?
Best practices suggest that live response should follow the order of volatility, which means that you want to collect data which is changing the most rapidly. The order of volatility is:
Memory
Swap or page file
Network status and current / recent network connections
Running processes
Open files
Currently there are no comments in this discussion, be the first to comment!