Friday, June 22, 2007

On Volatility...and ESI

I've been doing a little reading recently on Criminalistics and Criminal Profiling and for one reason or another I started thinking about volatility. This is also a response to Harlan's post on RAM.

What is volatility?
In short it's a measurement of change over a given amount of time. The more volatile something is, the more dramatic the change over a shorter amount of time. It's also a measure of how prone a substance is to disturbance.

When it comes to Digital Forensics we often hear about and refer to the Order of Volatility. The OOV is pretty straight forward - the more volatile the source of data is, the higher the priority it is for collection. Something to understand is that given time and disturbance everything becomes volatile. There is no such thing as non-volatile data. There is highly volatile and less volatile data. RAM is highly volatile and everything else is considered less volatile. Therefore all data, RAM included is or should be considered ESI. It's simply a matter of crafting the proper request.

Given this interpretation of data volatility - that it's all volatile would indicate that RAM is and should be considered ESI. However, as Harlan points out, there are no more free tools to collect the contents of memory - I'd add that this is only for newer operating systems. Does this equate to an undue burden on the producing party? In my opinion yes. If one has to purchase a special product in order to produce, then that's an undue burden and the requesting party should be the one to provide the tool(s).

2 comments:

Keydet89 said...

Therefore all data, RAM included is or should be considered ESI.

What's "ESI"?

...I'd add that this is only for newer operating systems.

This goes all the way back to Windows 2000...the freeware version of dd.exe no longer supports the Physical Memory object, as the author has removed it.

hogfly said...

What's "ESI"?

Sorry, Electronically Stored Information.

This goes all the way back to Windows 2000...
I stand corrected, but will what's already distributed (in helix, and other places) be affected by this?