Exam SY0-501 topic 1 question 801 discussion

https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.vm_admin.doc/GUID-38F4D574-ADE7-4B80-AEAB-7EC502A379F4.html When you take a snapshot, you capture the state of the virtual machine settings and the virtual disk. If you are taking a memory snapshot, you also capture the memory state of the virtual machine. These states are saved to files that reside with the virtual machine's base files.

If a headless virtual host is COMPROMISED, Snapshot allows to create a copy quickly and obtain the digital info.

This link will tell you why ram is the answer not snapshot

Watch out The question is asking you which type of digital device is the most perishable in case of investigating a computer crime taking in to consideration of power outage or some type of disaster that could damage or cause data loss. The the first data that is perishable is data on memory , caches, ruter table. Second less volatile is data in virtual memory so the ANSWER IS D RAM Order of Volatility Summary First responders need to understand the order of volatility, to ensure they protect any potential evidence. The most volatile data includes data in CPU registers, caches, and memory. It is lost if the computer is rebooted. Virtual memory (a swap file) is stored on a disk drive, but is rebuilt when the computer is rebooted. For the CFR exam, Network cache is on about the same level of volatility as a virtual memory. Data on disk drives will stay there, often even after a user attempts to delete it. Backups on tapes and optical discs are have a very low level of volatility. Similarly, remote logs have a very low level of volatility.

Headless virtualization host is a bare metal hypervisor (https://wiki.msp.exchange/faq/create_headless_virutalbox_vhost). Capturing volatile memory is frought with problems (http://www.syssec-project.eu/m/page-media/3/raid13_graziano.pdf). Since capturing volatile memory is an issue within virtualization, the correct answer is capture a snapshot. Virtual memory and RAM, while sound good for order of volatility, don't work for us on a virtual host.

Headless mode means that the virtual machine is running in the background without any foreground elements visible (like the Vmware Fusion application) You would have no screen to see running the front end; i.e. the screen/console would not be visible, even though the operating system is running, and would typically have to access the machine via SSH. From stackoverflow......

The given answer is correct..... With the snapshots, the responder can save the state of the virtual machine for later use and thus this will have all the information even when the system is not running. The snapshots which are taken backup will have the detailed operation of the virtual host.

You cannot snapshot the virtual host, you snapshot the virtual clients. The Virtual Host is the system that HOSTS the Virtual CLIENTS. I think the correct answer is D. RAM, and C. Snapshop is there to trip you up. "There are different kinds of hypervisors. The hypervisor that we’ve seen so far is a type 2 hypervisor. This is one that runs on top of an existing host operating system. So this is a hypervisor that would run in Windows, in Mac OS, or on the Linux desktop." https://www.professormesser.com/security-plus/sy0-501/virtualization-overview/

I thought the data should be collected according to the order of volatility. Wouldn't (D) RAM be correct?