Cyber Security

OV (Order of Volatility)

The general principle is to capture evidence in the order of volatility, from more volatile to less volatile. RFC 3227 sets out the general order as follows:

  • CPU registers and cache memory (including cache on disk controllers, GPUs, and so on).
  • Routing table, arp cache, process table, kernel statistics.
  • Memory (RAM).
  • Temporary file systems.
  • Disk.
  • Remote logging and monitoring data.
  • Physical configuration and network topology.
  • Archival media.
Related Articles