Volatile data is any data that is temporarily stored and would be lost if power is removed from the device containing it i.
The ‘live’ examination of the device is required in order to include volatile data within any digital forensic investigation.
Volatile data can exist within temporary cache files, system files and random access memory (RAM).
Volatile Memory and Digital Forensics
Digital forensics involves the examination two types of storage memory, persistent data and volatile data.
Persistent data is retained even if the device is switched off (such as a hard drive or memory card) and volatile data that is most often found within the RAM (Random Access Memory) of a device and is lost when the device is switched off.
Volatile data is often not stored elsewhere on the device (within persistent memory) and is unlikely to be recoverable, even from deleted data, when it is lost and this is the main difference between the two types of data source, persistent data can be recovered, even if deleted, until it is overwritten by new data.
Volatile Data Recovery
Whilst persistent data itself can be lost when the device is powered off, it may still be possible to retrieve the data from files stored on persistent memory.
For example, the pagefile.sys file on a Windows computer is used by the operating system to periodically store the volatile data within the RAM of the device to persistent memory on the hard drive so that, in the event of a power cut or system crash, the user can be returned to what was active at that point.
It also allows the RAM to move the volatile data present that file that are not currently as active as others if the memory begins to get full.
The RAM is faster for the system to read than a hard drive and so the operating system uses that type of volatile memory in order to store active files in order to keep the computer as responsive to the user as possible.
Therefore, it may be possible to recover the files and activity that the user was accessing just before the device was powered off (e.g. when the computer is seized, it is normally switched off prior to removal) as long as it had been transferred by the system from volatile to persistent memory.
Your computer will prioritise using your RAM to store data because it’s faster to read it from here compared to your hard drive. However, when your RAM becomes full, Windows moves some of the volatile data from your RAM back to your hard drive within the page file.
Generally speaking though, it is important to keep a device switched on where data is required from volatile memory in order to ensure that it can be retrieval in a suitable forensic manner.
It is therefore important to ensure that informed decisions about the handling of a device is made before any action is taken with it.
For example, if a computer was simply switched off (which is what the best practice for such a device was previously given) then that device could have contained a significant amount of information within the volatile RAM memory that may now be lost and unrecoverable.
The Importance of Volatile Memory
Due to the size of data now being stored to computers and mobile phones within volatile memory it is more important to attempt to maintain it so that it can be copied and examined along with the persistent data that is normally included within a forensic examination.
Volatile data could provide evidence of system or Internet activity which may assist in providing evidence of illegal activity or, for example, whether files or an external device was being accessed on that date, which may help to provide evidence in cases involving data theft.
It can also help in providing evidence from volatile memory of email activity within an email account that is not normally permanently stored to a device (e.g. Hotmail or Gmail online accounts) or of social media activity, such as Facebook messaging that are also normally stored to volatile data.
Volatile memory can also contain the last unsaved actions taken with a document, including whether it had been edited, printed and not saved.
The acquisition of persistent memory has formed the basis of the main evidence involved in civil and criminal cases since the inception of digital forensics, however, more often, due to the size of storage capacity available, volatile memory can also contain significant evidence and assist in providing evidence of the most recent activity conducted by the user.
Where the last activity of the user is important in a case or investigation, efforts should be taken to ensure that data within volatile memory is considered and this can be carried out as long as the device is left switched on.
No actions should be taken with the device, as those actions will result in the volatile data being altered or lost.
You should also consult with a digital forensic specialist who can retrieve the memory containing volatile data in the best and most suitable way to ensure that the data is not damaged, lost or altered.
About Athena Forensics
For information on our digital forensic services or if you require any advice or assistance including in the examination of volatile data then please contact a member of our team on 0845 882 7386 or via email on firstname.lastname@example.org, further details are available on our contact us page.
Our client’s confidentiality is of the utmost importance. All correspondence is treated with discretion, from initial contact to the conclusion of any computer forensics investigation.
Our digital forensics experts are fully aware of the significance and importance of the information that they encounter and we have been accredited to ISO 9001 for 10 years.
Our forensic experts are all security cleared and we offer non-disclosure agreements if required. Our premises along with our security procedures have been inspected and approved by law enforcement agencies.
Athena Forensics do not disclose personal information to other companies or suppliers.