Define volatile data and its relevance in live digital investigations.

• A. Data stored on disks that never changes; it provides stable evidence.
• B. Data that is encrypted at rest and is rarely accessed.
• C. Data that is in memory and temporary (RAM) that can be lost when power is removed; it's time-sensitive.
• D. Data that is stored in cloud backups; it is always accessible.

Answer: (C)

Volatile data is information stored in RAM that only exists while the system is powered on. It can be lost as soon as power is removed, so it must be captured quickly in a live investigation. This data shows the system’s current state: what processes are running, active network connections, files currently open, and memory-resident credentials or encryption keys. Because memory contents can change rapidly or be overwritten, investigators aim to image or collect this volatile data before shutdown to preserve a snapshot of the live activity. Non-volatile data on disk, encrypted at rest, or cloud backups persists beyond power cycles and doesn’t carry the same time-sensitive value for understanding the immediate state of the system.