What is volatile data...

Two basic types of data are collected in computer forensics. Persistent data is the data that is stored on a local hard drive (or another medium) and is preserved when the computer is turned off.

Volatile data is any data that is stored in memory, or exists in transit, that will be lost when the computer loses power or is turned off. Volatile data resides in registries, cache, and random access memory (RAM). The investigation of this volatile data is called “live forensics”

It is essential to the forensic investigation that the immediate state of a computer is recorded before shutting it down. Volatile information is lost once the suspect's computer is powered down and this may be crucial to the claim. Even if this volatile information is not crucial, it may well lead an investigator in the early stages and lay the foundations for the analysis. When collecting data for a computer forensic investigation you want to collect the most volatile data first as it will be lost the quickest.

To avoid losing this volatile storage on a mobile device, keep this continuously charged to avoid losing volatile memory. A computer system will lose volatile memory when this is powered down, so the only way to safeguard this evidence is to leave the system powered up until a forensics expert can salvage this memory. Sometimes cache, which will contain web-mail (eg hotmail - as opposed to email clients such as outlook), msn chat etc can be recovered for a forensic examination, after the browser is shut down, but there is only a small window of opportunity and it is by no means guaranteed that this is recoverable. It will more often than not depend on the settings.