Today’s investigators are beginning to broaden their focus to include both static and volatile disk data because together they can help tell a complete story.
When most people refer to volatile data in computer systems in the sense of computer forensics, they are referring only to the information or data contained in the active physical memory, such as RAM (random access memory), rather than volatile disk data.
As most computer forensics investigators know, even the most secure facility can be compromised, often leaving traces in and affecting volatile memory.
The latest and perhaps most effective way for hackers to hide is by using a kernel-mode rootkit (or kernel-mode Trojan).
The second-generation of Windows rootkits that affect volatile ...