Volatile data vs. data at rest: the requirements of digital forensics

Data residing in the RAM, system, or internal/external peripheral memory. According to RFC 3227 (a master document issued by the Internet Engineering Task Force), these are the first data that should be acquired during a forensic investigation. 1 • Data at rest: Data in the file system. This article will explain in detail how these data are subdivided and discuss system components and event tracking information, such as that found in the various types of log files.

Recent changes to Italian legislation, following the enactment of the Budapest Convention on Cybercrime, and the federal rules for the management of digital evidence in American civil law (which are sure to have an impact in Europe), demand regulatory measures to address at least two points. 2 The first concerns preservation, or maintenance of the integrity of original data and making faithful copies of the data to be used for analysis purposes. The second concerns the format of presentation and analysis, which relates more to legal users than forensics examiners.