Prior to understanding volatility of digital evidence, it is important first to define and comprehend the meaning of the term volatility. By definition, the term volatility denotes the tendency of something to change and take another form or disappear (Casey, 2010). Volatility is a word that is common mostly in the stock exchange markets across the world. In computer science, or information and communication technology, volatility of digital evidence refers to the tendency of some pieces of computer forensic evidence to disappear after some time. For this reason, it is wise for forensic investigators to take into account the rule of volatility of digital evidence when conducting investigations. It is important to for investigators to take keen interest in evidence that is most likely to disappear before the completion of the process. Volta data is another name that denotes forensic evidence that can easily disappear. This memo explains the basis of volta data and volatility of digital evidence, its nature, and form.
Today, the world faces a multitude of cases that require digital evidence. Based on the Federal Bureau of Investigation, FBI, the number of cases that call for forensic evidence is three times more than it was two decades ago (Casey, 2010). According to the FBI, when conducting a forensic investigation on computers, investigators should always start with volatile items. After collecting evidence from volatile elements, the investigators should shift focus and assemble important information from less volatile points. The FBI gives a list of about seven volatile elements in a computer system (Casey, 2010). These are Registers, Disk Physical Configuration, Cache Routing Table, Process Table, ARP Cache, Memory, Kernel Statistics, Temporary File Systems, Network Topology, and Archival Media (Casey, 2010). The success of a good forensic investigation depends on the ability of the investigators to get information from the above elements.
Registers and cache are vital volatile elements that need keen consideration when conducting forensic investigations on computer system (Watson & Jones, 2013). Caches and registers exchange volumes of data within short periods, hence their high volatility. The information in the cache and registers is constantly changing, which makes it difficult for investigators to get hold of important data when conducting forensic investigations (Watson & Jones, 2013). Literary, the CPU cache, as well as the registers can lose information in a matter of nanoseconds. When conducting investigations, the investigators should always ensure that they get the information from the above elements with speed lest they risk missing it.
The routing table, process table, memory, kernel statistics, and the ARP cache are other key elements in digital investigations. The elements above can lose important information and data within a short time and the investigators need to move with speed when seeking to extract pieces of evidence from them (Watson & Jones, 2013). Precisely, the routing and the process table hold their data and information in the network devices. The data and information changes rapidly and investigators need to act promptly in the quest to capture or get proof or evidence during a forensic investigation (Watson & Jones, 2013). Similarly, the kernel statistics rapidly move back and forth between the main memory and the cache, making it extremely volatile. In such a case, the requirements are that forensic investigators move swiftly and with speed to capture data in the kernel statistics. The information held in the RAM or the random access memory depends heavily on the connectivity of the computer to power. Assuming that power goes out and the computer switches off, the RAM loses data and information (Watson & Jones, 2013). This further explains the reason forensic investigators need to grab evidence from the RAM quickly before going to other elements. If the investigators fail to extract evidence from the RAM fast, they risk losing it altogether.
The rate of vitality however is not homogenous across many computer hardware devices; some of the elements are less volatile than others are (Shimeall & Spring, 2014). For example, temporary file systems are not as highly volatile as the CPU cache and the registers. The speed with which an investigator rushes to get information from such systems is not as fast as that used when extracting evidence from other elements such as the kernel statistics and the RAM (Shimeall & Spring, 2014). However, this should make investigators to ignore the need to act with urgency when retrieving evidence from temporary file systems.
Network topology and physical configuration are other less volatile elements that investigators should retrieve information, albeit they do not hold crucial data in a forensic case. Network topology and physical configuration of the system provide forensic investigators with amount of information that they could use to prove a case in the courts (Shimeall & Spring, 2014). For this reason, they also endeavor to get as much information and data as they can from the network topology and physical configuration. In addition to the network topology and physical configuration of the system, investigators should also assess the information in remote logging.
Therefore, the laconic understanding of volatility of digital evidence is the ability of computer systems to lose information and data easily. Volta data is another name used to refer to data that easily disappears from the system itself. For this reason, the order of volatility requires that during investigations, investigators should pay attention to volta data. They should always begin their investigations by retrieving useful information from highly volatile elements in computer systems such as the CPU cache, the registers, and the kernel statistics. This is important to prevent losing data during a digital investigation. The order of volatility argues that the most transient should always come first.
- Casey, E. (2010). Digital evidence and computer crime: Forensic science, computers and the Internet. London: Academic.
- Shimeall, T., & Spring, J. M. (2014). Introduction to information security: A strategic-based approach.
- Watson, D., & Jones, A. (2013). Digital forensics processing and procedures: Meeting the Requirements of ISO 17020, ISO 17025, ISO 27001 and best practice requirements. Amsterdam: Syngress.