Thursday, November 1, 2012

Volatile source of Forensic Evidences on windows based Systems.

When collecting evidence you should proceed from the volatile to the
   less volatile.  Here is an example order of volatility for a typical

      -  registers, cache

      -  routing table, arp cache, process table, kernel statistics,

      -  temporary file systems

      -  disk

      -  remote logging and monitoring data that is relevant to the
         system in question

      -  physical configuration, network topology

      -  archival media

