CompTIA Security+ (SY0-501) — Question 183

A member of a digital forensics team, Joe arrives at a crime scene and is preparing to collect system data. Before powering the system off, Joe knows that he must collect the most volatile date first.
Which of the following is the correct order in which Joe should collect the data?

Answer options

• A. CPU cache, paging/swap files, RAM, remote logging data
• B. RAM, CPU cache. Remote logging data, paging/swap files
• C. Paging/swap files, CPU cache, RAM, remote logging data
• D. CPU cache, RAM, paging/swap files, remote logging data

Correct answer: D

Explanation

The correct answer is D because CPU cache is the most volatile data that will disappear first when the power is turned off, followed by RAM, then paging/swap files, and finally remote logging data. The other options do not prioritize the most volatile data collection correctly, which could lead to loss of critical evidence.