3.4 What is Volatile Data?

Definition: Any data stored in system memory that will be lost when the machine loses power or is shut down.
Location: Registers, cache, and RAM (this module focuses on RAM).

Volatile data is stored in system memory (e.g., system registers, cache, RAM) and is lost if the machine loses its power, is shut down, or rebooted. Volatile data collection focuses on collecting data (primarily from RAM) that could be lost if the computer is shut down or rebooted. Volatile data should be collected if you are not sure why a computer is acting abnormally, if you notice suspicious user activity or if you have been alerted that a rule or policy has been violated such as firewall or IDS alert. In any case, the first response to a computer security incident should be to collect volatile data and analyze the results to determine a next course of action.

Persistent data resides in the system's hard drives or other nonvolatile storage devices (e.g., connected USB drives, flash cards, CD-ROMs, and other external hard drives) and is typically not lost when the machine is shut down or rebooted. Generally, persistent data should be collected when it is clear that evidence related to the computer security incident resides in the persistent storage areas.

For both collection strategies, preventing contamination of the suspicious computer is an ongoing issue. For persistent data collection, contamination can be controlled by current techniques, tools, and methodologies. One such tool is dd.exe, a free imaging utility developed by George M. Garner Jr. that has the capability to create a bit-by-bit copy of the suspicious computer's hard drive.

If you create MD5 checksums of the hard drive before and after using a utility like DD, you can compare them and authenticate the copy. For volatile data collection, contamination is harder to control because tools and commands may change file access dates and times, use shared libraries or DLLs, trigger the execution of malicious software (malware), or worst case force a reboot and lose all volatile data. These potential effects should have been uncovered and documented during Module 2's tool testing phase of creating a first responder toolkit.

Obviously, you can not make a bit-by-bit copy of a live computer. But if you use best practices and a first responder toolkit, you can use the collected data and a reproducible methodology to reconstruct a logical representation of the current state of the suspicious system.