The Industrial Control System (ICS) Computer Emergency Response Team (CERT) has released an alert regarding ICS-focused malware specifically propagating through Windows-based business networks.
Technicians at a local water utility note that their dams, canals, and locks controlled by an internal Supervisory Control and Data Acquisition (SCADA) system have been malfunctioning. A digital forensics professional is consulted in the Incident Response (IR) and recovery. Which of the following is the MOST challenging aspect of this investigation?
Correct Answer: C
The volatility of data refers to the degree to which data can be lost or altered due to various factors, such as power loss, hardware failure, software error, or human intervention. In a digital forensics investigation, the volatility of data poses a challenge because it requires the investigator to follow a specific order of volatility when collecting and preserving evidence. The order of volatility is based on the principle that the most volatile data should be collected first, before it is overwritten or destroyed by less volatile data. The order of volatility typically includes the following types of data, from most volatile to least volatile: registers, cache, random access memory (RAM), routing tables, kernel statistics, process tables, network connections, executable files, swap files, hard disk, remote logging and monitoring data, physical configuration, network topology, archival media3 . References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8, page 693; [CISSP CBK, Fifth Edition, Chapter 8, page 1049].