During an incident, a forensic analyst needs to preserve volatile data from a live Windows server. Which command should be used first to collect memory and network connection information?
Memory is the most volatile data.
Why this answer
Option C is correct because volatile data, such as the contents of RAM, is lost when the system is powered off. Capturing RAM first preserves critical evidence like running processes, network connections, and encryption keys. Network connection information can be extracted from the memory dump, so a dedicated forensic tool (e.g., FTK Imager, WinPmem) is the priority before any command-line queries that alter system state.
Exam trap
The trap here is that candidates often choose ipconfig or tasklist because they are familiar Windows commands, but they fail to recognize that these commands do not capture the most volatile data (RAM) and can alter the system state, violating the order of volatility.
How to eliminate wrong answers
Option A is wrong because ipconfig /all only displays static network configuration (IP addresses, DNS servers) and does not capture volatile memory or active network connections; it also modifies the system state minimally but is not the first priority. Option B is wrong because tasklist /v lists running processes but does not capture memory contents or network connections, and it can alter the state of the system by interacting with the process list. Option D is wrong because performing a clean shutdown destroys all volatile data in RAM, including network connections and process information, which is the opposite of preservation.