What is volatile data

What exactly is volatile data? When recovering data and information from computers or mobile phones or indeed other forms of media devices, data can be retrieved mainly from two types of data sources. The two most common data sources used are often persistent data sources, that is information stored on hard drives most commonly and also volatile data sources, which can be found on (RAM) which stands for random access memory.

What is important to note is that often there is a preconception this data that you are requiring to be retrieved from a computer or a device within the volatile storage memory is automatically recorded by the device in its long-term memory banks, this is not true!

It is often thought therefore that this volatile data can be recovered even when disconnected from a power source. Volatile data is quite different in that the data stored within this memory type can be lost completely, when a computer or mobile device loses its power source or is turned off.

I need information recovered from a volatile data source, how should I proceed?

Often mobile devices such as smart-phones and laptops can contain information to help piece together evidence or to allow a more informed decision to be made that’s once such data has been retrieved from the internal memory. It is therefore important that such devices where data is to be extracted from locations of volatile data, that these devices are charged or kept connected to a continuous power source, until a professional obtains the required information. For example when a computer is powered down it can lose this vital information in it’s volatile form and all the key information held within, and this is often lost for good! Such volatile data that could be lost upon removal of a device from disconnecting power could be important data in some cases, which should not be discounted as non-important or not of relevance as it often can be crucial in terms of proving an assumption held.

Such data could tell you for example if the computer was connected directly to a removable storage device for example. This information may possibly help towards detection of possible company data theft that you suspect may be happening within your organisation.

So volatile storage is a form of temporary memory, do I really need to worry about this area in terms of capturing information when I am gathering evidence normally?

Surely this information is not as important as what is contained on the hard-drive or non-volatile memory sources?

This will be determined by how thorough and how much information you which to capture from the media device or computer as a whole, and how much of a complete picture you wish to build up. For example in a forensic investigation the lead up to an event and the information stored within the volatile memory it-self will be of great importance and may hold information that is key in terms of determining an outcome. What is for sure is that volatile memory can contain some evidence in terms of the most up-to-date activities of a user of that device, or the more current activities on a smart-phone or on other computer device for example. For example, phone call logs, e-mails sent on web based browsers sometimes can be retrieved.

Therefore information stored in temporary cache files or information within current working documents, not currently saved to the computers hard disks, may prove vital for example in proving what information you are seeking to obtain evidence for. Whether it be an employment tribunal or just looking to get more data to make an informed decision then the volatile data may help you, so don’t lose it!

What type of information is stored in the temporary memory or volatile memory sources can you be more exact?

If you can imagine a computer device operates somewhat in the same way as our human memory does. Certain ingrained and important information stays in our long-term memory banks, which can be considered the same for the storage of information on a hard disk in a computer device for example. Our less important and less vital information such as our weekly shopping list is quickly forgotten after memorising, and this is the same way random access memory on your computer works to a certain extent.

Although that short-term memory area can prove indicative and important when putting the pieces of the jigsaw puzzle together in terms of finding information you need sometimes. Therefore the volatile memory is a short-term memory source, and needs a power source in order to keep that information alive, before it diminishes from the memory completely. This could mean temporary information such as clipboard contents of current work items on a computer, surfing habits in terms of live websites, and information of removable storage use on that device that may have been connected to your computer for example can sometimes be found.

Is all random access memory (RAM) on computer devices and mobile phones viewed as volatile data? Often tasks and activities that are not saved within the local hard disk or remote or supplementary hard-disks i.e external hard-disks or a web-based cloud which is often considered the more permanent storage locations or on a form of flash memory for example on mobile devices, anything falling outside of that is normally volatile memory.

If a process is carried out that is not captured on these more permanent areas mentioned through saving data, then this data is indeed often considered volatile data. This means that in the majority of cases that active tasks that are not saved or recorded are often volatile memory forms and are therefore stored on random access memory types. Here are some takeaway tips to remember if you wish to recover information that you feel may be stored on volatile memory sources.

1. Keep a smart phone or mobile device or a computer connected to a power source until retrieval of data has taken place.

2. Consult and solicit the expertise of a data recovery specialist in your area.

3. Minimise your endeavours to find information yourself, if you have little expertise in forensic data recovery, as this could disrupt the data sources and the preservation of such data.

Cyber Security

Find out how you can strengthen your cyber security. Call us today for advice on how to protect your information systems.

+44(0) 29 2010 0982