Editing Computer forensics (section)

=== Volatile data ===
Volatile data is stored in memory or in transit and is lost when the computer is powered down. It resides in locations such as registries, cache, and RAM. The investigation of volatile data is referred to as "live forensics."

When seizing evidence, if a machine is still active, volatile data stored solely in [[Random access memory|RAM]] may be lost if not recovered before shutting down the system. "Live analysis" can be used to recover RAM data (e.g., using Microsoft's [[COFEE]] tool, WinDD, [[WindowsSCOPE]]) before removing the machine. Tools like CaptureGUARD Gateway allow for the acquisition of physical memory from a locked computer.{{Citation needed|reason=Add a source describing which versions of Windows CaptureGUARD can unlock and under which circumstances.|date=December 2020}}

RAM data can sometimes be recovered after power loss, as the electrical charge in memory cells dissipates slowly. Techniques like the [[cold boot attack]] exploit this property. Lower temperatures and higher voltages increase the chance of recovery, but it is often impractical to implement these techniques in field investigations.

Tools that extract volatile data often require the computer to be in a forensic lab to maintain the chain of evidence. In some cases, a live desktop can be transported using tools like a [[mouse jiggler]] to prevent sleep mode and an [[uninterruptible power supply]] (UPS) to maintain power.

Page files from file systems with journaling features, such as [[NTFS]] and [[ReiserFS]], can also be reassembled to recover RAM data stored during system operation.