Order of Volatility
What is Order of Volatility?
Order of VolatilityThe acquisition priority defined by RFC 3227 that requires forensic responders to collect the most ephemeral evidence first, before it is overwritten or lost.
Order of volatility is a foundational DFIR principle, codified in RFC 3227, that ranks digital evidence by how quickly it changes or disappears. The canonical order is: CPU registers and cache, kernel and process memory, network state and ARP caches, running processes, temporary file systems, persistent storage, remote logging and monitoring data, and finally physical configuration and archival media. Responders must image volatile sources before powering off or rebooting, because RAM, network sessions, and routing state are destroyed at shutdown. In modern Windows incident response this typically means capturing memory with WinPmem or DumpIt and triaging volatile artifacts with KAPE or Velociraptor before live forensic shutdown procedures.
● Examples
- 01
Acquiring a memory dump and netstat output before unplugging a beaconing host.
- 02
Collecting current TLS session keys from RAM before encryption keys are wiped on logout.
● Frequently asked questions
What is Order of Volatility?
The acquisition priority defined by RFC 3227 that requires forensic responders to collect the most ephemeral evidence first, before it is overwritten or lost. It belongs to the Forensics & IR category of cybersecurity.
What does Order of Volatility mean?
The acquisition priority defined by RFC 3227 that requires forensic responders to collect the most ephemeral evidence first, before it is overwritten or lost.
How does Order of Volatility work?
Order of volatility is a foundational DFIR principle, codified in RFC 3227, that ranks digital evidence by how quickly it changes or disappears. The canonical order is: CPU registers and cache, kernel and process memory, network state and ARP caches, running processes, temporary file systems, persistent storage, remote logging and monitoring data, and finally physical configuration and archival media. Responders must image volatile sources before powering off or rebooting, because RAM, network sessions, and routing state are destroyed at shutdown. In modern Windows incident response this typically means capturing memory with WinPmem or DumpIt and triaging volatile artifacts with KAPE or Velociraptor before live forensic shutdown procedures.
How do you defend against Order of Volatility?
Defences for Order of Volatility typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Order of Volatility?
Common alternative names include: Volatility order, RFC 3227 order.
● Related terms
- forensics-ir№ 787
pagefile.sys
The Windows virtual-memory swap file on the system volume that can contain fragments of process memory, including credentials, keys, command lines, and decrypted payloads.
- forensics-ir№ 474
hiberfil.sys
The compressed Windows hibernation file that stores a near-complete snapshot of physical memory at hibernation time, providing forensic access to RAM contents from a powered-off system.
- forensics-ir№ 043
Amcache.hve
A Windows registry hive that records detailed metadata about every executable that has run or been present on a system, including SHA-1 hashes, providing strong execution evidence on modern Windows.
- forensics-ir№ 677
MFT (Master File Table)
The core NTFS metadata structure that stores one 1024-byte record per file or directory on a volume, anchoring nearly all Windows file-system forensics.
- forensics-ir№ 001
$UsnJrnl ($J)
The NTFS Update Sequence Number change journal that records every file-system operation, giving forensic investigators a high-resolution timeline of file creation, modification, and deletion.