If you’re to plan on taking the CyberSec first Responder (CFR) exam, girlfriend should know order that volatility. For example, have the right to you price this question?

Q. Consider the following computer elements that can contain data offered for digital forensics.

You are watching: An example of volatile data is __________.

PrintoutCPU cacheSSDVirtual memory

Which that the following accurately identify the exactly order of volatility from many volatile to least volatile?

A. Printout, CPU cache, SSD, virtual memory

B. CPU cache, printout, virtual memory, SSD

C. SSD, digital memory, printout, CPU cache

D. CPU cache, online memory, SSD, printout

More, perform you understand why the exactly answer is correct and also the not correct answers room incorrect? The answer and explanation is accessible at the finish of this post.


Order of Volatility

In forensics, order of volatility refers to the bespeak in which you have to collect evidence. Extremely volatile data is conveniently lost, such as data in memory once you revolve off a computer. Less volatile data, such as printouts, is fairly permanent and the the very least volatile. The following graphic mirrors the stimulate of volatility from many volatile to least volatile.


Domain 10 of the CyberSec first Responder objectives (Investigating Cybersecurity Incidents) specifically mentions securely collecting digital evidence. This is very important principle for very first responders. There is no the appropriate knowledge, they have the right to easily destroy potential evidence.

If you take it the Security+ exam, this need to be familiar. However, that is so vital you’ll discover it repetitive in almost any IT security certification exam.

Caches and also Registers

Data in storage is the many volatile. This contains data in main processor unit (CPU) registers, caches, and system random accessibility memory (RAM).

The data in cache and also CPU registers is the many volatile, mostly due to the fact that the storage room is for this reason small. Just by performing actions with the computer, you deserve to flush the data the end of this space. Data in memory will likely stay over there longer.

However, if you power under the computer, you will lose all the data in registers, CPU caches, and RAM.

Virtual Memory

Virtual storage is likewise known as a swap file or a paging file. That is a file stored top top the mechanism disk journey and extends the amount of RAM available to a computer. Due to the fact that it is top top the disk drive, that is much less volatile 보다 RAM and won’t have to be lost if the computer system is rotate off.

However, the swap file is rebuilt once the computer is powered back on. In other words, if you reboot the computer, you lose the online memory.

Disk Drives

Data files stored on disk drives will stay there until actions are required to erase them, or the disk journey fails. This includes classic hard disc drives, speed drives, and solid state drives (SSDs). It’s worth mentioning that also when individuals delete files, forensic tools can retrieve lock in plenty of situations.

Backups and also Printouts

Data stored on backups or printouts space the the very least volatile. This includes traditional backup methods such together magnetic tapes and other methods such together optical discs.

What about Remote Network Data?

Remote network data is outside to the computer system of interest. The can incorporate items such as network cache and remote logs.

Network cache is data stored on a system easily accessible by computer systems in the network. For example, a proxy server consists of cached net pages that have the right to be served to a computer system without retrieving the from the net again. This have the right to be advantageous if you want to view exactly what the user viewed.

Even though the network cache is no stored on the device computer, it is volatile and also won’t continue to be on the network computer forever. For the CFR exam, you have the right to think the network cache at around the very same level of volatility as online memory. It is much less volatile than ram on the mechanism computer, but more volatile than classic data stored on disk drives.

The adhering to graphic mirrors the relative volatility of network cache and also remote logs, when contrasted to other facets referenced in the CFR exam.


Remote logs are any type of logs save on far systems. This has logs top top firewalls, intrusion detection systems, and also proxy servers. Because that comparison, a proxy server log will show the URL the a website the a user visited, but the proxy cache will certainly contain the precise page as it looked once the user checked out it.

Of course, logs don’t look specifically like they’re stood for in the graphic. However, see the logs top top fire provides a an excellent reminder the nothing is fully non-volatile. It’s still essential to create forensically sound copies, and protect all gathered data.

Order of Volatility Summary

First responders need to know the stimulate of volatility, come ensure castle protect any kind of potential evidence. The most volatile data includes data in CPU registers, caches, and memory. That is shed if the computer system is rebooted. Digital memory (a swap file) is save on computer on a disk drive, but is rebuilt as soon as the computer system is rebooted. Because that the CFR exam, Network cache is on about the exact same level that volatility together a online memory. Data top top disk cd driver will stay there, often even after a user attempts come delete it. Backups on tapes and also optical discs are have a very low level of volatility. Similarly, remote logs have a an extremely low level that volatility.

Q. Consider the following computer facets that have the right to contain data supplied for digital forensics.

PrintoutCPU cacheSSDVirtual memory

Which of the complying with accurately identifies the correct order of volatility from many volatile to the very least volatile?

A. Printout, CPU cache, SSD, virtual memory

B. CPU cache, printout, virtual memory, SSD

C. SSD, digital memory, printout, CPU cache

D. CPU cache, virtual memory, SSD, printout

Answer is D. The exactly order from most volatile to the very least volatile is central processor unit (CPU) cache, online memory (a file on the tough drive), hard state drive (SSD), and a printout.

A printout is semi-permanent (unless it’s melted or shredded) so that is the the very least volatile making every one of the other answers incorrect.

Check out this short article for more information around the CyberSec an initial Responder exam.

See more: How Long Is A Frozen Turkey Breast Good For Over A, How Long Can A Turkey Be Stored

This post papers my suffer taking and passing the CyberSec first Responder Exam. It also includes simple steps you can take to examine for and pass this exam.