Exam 200-201 topic 1 question 259 discussion

B. login sessions E. free space

B and E Based on NIST SP 800-86 : Slack Space. Free Space. Network Configuration. Network Connections. Running Processes. Open Files. Login Sessions. Operating System Time.

The correct answer is A. temporary files and B. login sessions.

Comment from weganos nailed this question. https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-86.pdf

B and E

Review ( page) 5-3 in NIST 800-86 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-86.pdf

"volatile data" does refer to information stored in memory that is lost when the system is powered off or rebooted. The correct answers are: B. Login sessions - Login sessions are created and stored in memory while a user is actively logged in. They are considered volatile because they are lost when the system is shut down or restarted. C. Swap files - Swap files are used by the operating system to temporarily store data from RAM when the physical memory is full. They are also considered volatile because they exist in memory and are lost when the system is powered off or rebooted.

In the context of digital forensics, "volatile data" refers to information that is stored in memory and is lost when the system is powered off or rebooted. Temporary files (option A) are typically stored on disk, and although they may be deleted after use, they are not considered volatile because they can be recovered during the forensic investigation. Free space (option E) refers to the unused space on a disk. While it may contain remnants of deleted files, it is not considered volatile because it is not stored in memory and is not lost when the system is rebooted. Dump files (option D) are not considered volatile data because they are created when the system crashes or an application fails, and they are typically stored on disk. On the other hand, login sessions and swap files are considered volatile data because they are created and stored in memory, and they are lost when the system is shut down or restarted. Therefore, B (login sessions) and C (swap files) are the correct answers.

Temporary files, also known as "temp files," are not considered volatile data because they are stored on non-volatile storage devices, such as hard drives or solid-state drives, rather than in RAM. These files are created by the operating system or applications as a way to store data temporarily while a task is being performed, but they are not intended to be kept permanently. While the contents of temp files can be lost if the system crashes or experiences a power failure, they are still stored on non-volatile storage and are not lost as a result of a simple power-off or reboot of the system. In comparison, volatile data, such as login sessions and swap files, are stored in RAM, which is a volatile memory, and are lost when power is turned off or the system is rebooted.

Temp file is temporary in existence... Swap file is a system file that creates temporary storage space on a solid-state drive or hard disk when the system runs low on memory.