Here is a scenario that shows up on the SY0-701 exam in different costumes. A server is actively compromised and still running. You can preserve one source of evidence right now, before anything else. Do you image the hard drive, pull the system logs, or capture what is sitting in memory and the live network state?
A lot of people reach for the hard drive. It feels like the serious, thorough choice. On the exam it is usually the wrong one, and the reason is a concept almost nobody studies until they miss a question on it: the order of volatility.
What volatility actually means here
Volatility is just how fast evidence disappears. Some data lives for microseconds. Some sits on a disk for years. When you collect evidence, you work from the most fragile to the most durable, because the fragile stuff is gone the moment the machine reboots, loses power, or even just keeps running.
The standard order, roughly following RFC 3227, looks like this:
- CPU registers and cache
- Routing table, ARP cache, process table, kernel statistics, and RAM
- Temporary file systems and swap space
- Data on the hard drive
- Remote logging and monitoring data
- Physical configuration and network topology
- Archival media like backups
Look at where the hard drive lands. It is in the middle, not the front. Everything above it is volatile and will not survive a reboot. The ARP cache, the list of active network connections, the running process table, and the contents of RAM where modern malware often lives without ever touching disk, all of that evaporates if you pull the plug or wait too long.
So when the question asks what you collect first on a live system, the answer points at the volatile state: memory, running processes, network connections. The disk image comes after. It feels backwards because we are trained to treat the hard drive as where the real data lives, but a powered-off forensic image cannot tell you which process was beaconing out to a command and control server. RAM can.
Why the exam loves this
Order of volatility is a clean way to test whether you understand evidence handling instead of just reciting a definition. The trap answers always sound reasonable. Imaging the drive is good practice. Pulling logs is good practice. But "first" is the word doing the real work in the stem. Read for it.
A few variations to expect:
- They describe a live host and ask what you preserve first. The answer is memory and network state, not the disk.
- They mention pulling the power cable to "preserve evidence." That destroys the most volatile evidence, so it is usually wrong unless the scenario is specifically about stopping active damage, like ransomware encrypting files as you watch.
- They slip in "make a forensic copy and hash it" and ask why the hash matters. That is about integrity and chain of custody, not volatility, so do not let the forensics setting bait you into the wrong concept.
The two ideas that ride along with it
Two related topics live in the same neighborhood, and the exam will blur them together if you let it.
Chain of custody is the documentation trail: who handled the evidence, when, and what they did with it. It is what keeps the evidence admissible later. Order of volatility is the sequence you collect in. Different concepts, same scenario, and the wording is testing whether you can keep them apart.
Legal hold and provenance round it out. A legal hold preserves data you would otherwise rotate or delete. Provenance is being able to show where a piece of evidence came from and that it was not tampered with. None of those are about which bit you grab first, so when the stem says "first" or "most volatile," you already know it is testing the order, not the paperwork.
How to lock it in
Do not memorize the seven lines as trivia. Memorize the principle: fragile before durable, memory before disk, live state before stored state. If you can reconstruct why RAM beats the hard drive, you can rebuild the whole order under exam pressure without leaning on flashcard recall.
Then go practice it in scenario form, because that is the only way this sticks. Reading the list once does nothing. Getting a question wrong, reading the explanation, and then nailing the next variation is what moves it into long term memory. I built SecPlus Mastery around exactly that loop for SY0-701, with scenario questions and hands-on labs instead of definition drills, and there is a free diagnostic exam at secplusmastery.com/diagnostic if you want to see which domains are actually solid before you book the test.
Order of volatility is a small topic with an outsized habit of showing up. Learn the principle instead of the list, and the live-system questions stop being traps.
Top comments (0)