Which action would be supportive of the concept of volatile data collection as describe in SP 800-86?
- collect memory data first
- collect volatile data after rebooting
- collect malware data
- collect hard drive data first
According to the concept of volatile data collection as covered in NIST 800-86, volatile data, meaning data that is gone after rebooting, should be collected first as it is fragile. Memory data should be collected first.
All volatile data should be collected before, not after, rebooting while it still exists. You should not collect hard drive data first. This is not volatile data. The concept of data does not concern itself with data content, such as malware data. It is only concerned with the volatile data.