Explain the order of volatility and why it drives the sequence of evidence collection in DFIR.
Short answer
Order of volatility ranks evidence by how fast it vanishes, so you collect the most fragile first. Roughly: CPU registers/cache, then RAM and running state (processes, network connections, ARP), then temporary/swap files, then disk, then remote logging and monitoring data, and finally archival media and backups. You also work on forensic copies, hash them, and keep a chain of custody so evidence stays admissible.
When you arrive at a compromised host, the clock is already running on the evidence. The order of volatility (codified in RFC 3227) tells you to gather the data that disappears fastest first, so a careless reboot or shutdown does not erase the most valuable artifacts. Interviewers ask this to confirm you handle evidence methodically and understand what is lost when.
Most volatile to least
- CPU registers, cache — gone in microseconds; rarely collected directly.
- RAM and running state — live processes, open network connections, ARP cache, logged-on users, and injected/fileless malware and encryption keys that exist only in memory. This is why memory capture comes early.
- Temporary files / swap / pagefile — transient but on disk.
- Disk — the persistent file system; survives reboots but can be wiped or overwritten.
- Remote logging and monitoring data — SIEM, NetFlow, off-host logs.
- Archival media and backups — the most durable, collected last.
The key insight: memory before disk, disk before backups. Powering a box off to "preserve" it actually destroys the volatile tier — which is often where the real evidence of an active intrusion lives.
Doing it defensibly
Volatility order is only half the job. Work on forensic copies, not originals; compute and record cryptographic hashes before and after imaging to prove integrity; use write blockers for disks; and maintain an unbroken chain of custody documenting who handled each item, when, and why. Without that, evidence may be inadmissible.
Why this matters
A strong answer recites the rough sequence (registers → RAM/network → swap → disk → logs → backups), explains that shutting down loses the most fragile data, and pairs it with hashing and chain of custody. That shows you can preserve evidence under pressure in a way that holds up later.
Likely follow-ups
- Why might powering off a machine destroy the most valuable evidence?
- What is chain of custody and why does it matter for admissibility?
- How do you preserve integrity when imaging a live disk?