Internet evidence - RAM or ROM?

Typically will most internet evidence be found in the RAM or on the HDD? By internet evidence I'm talking about browser cache, history, cookies, etc.

Well, if it's a history (or cookies), please read as "anything that is intended to be kept untouched through reboots", I would doubt that anyone would have them in RAM. ?
Same goes for cache, though most probably some OS or browser may well use two caches, a "volatile" one in RAM and a "persistent" one on hard disk.

jaclaz

I concur…and for the same reasons listed. RAM dumps are a great source to find out what might be running right then and there. Before the restart )

Go through the logic of your question, thinking about what you know about RAM & HDDs and relate it to how Internet browsers work.

Can Internet browsers retain information? Yes - most of the popular ones retain browsing history and bookmarks, stuff like that.

Does RAM retain information? Yes, but only until the power is switched off. Is this a good and reliable place to store your browsing history and bookmarks then? Probably not.

Do HDDs retain information? Yes, and they do so even when the power is switched off. Is this a good place to store data such as browsing history? Absolutely.

Therefore, typically you are most likely to find most evidence about Internet browser usage on HDDs rather than RAM.

——–

There are caveats, of course, but unless your examiner is really pedantic that should get you some marks.

Note Web browsers are free, and the tools you can use to interrogate them are often free as well. So design an experiment and test it - see what happens when you use the software to browse the net (where does it write data? And when? What is the format of that file?).

There is little specialist knowledge at work, here - you should try to consider the question yourself and run some tests before posting the question almost verbatim on a messageboard. Good luck!

RAM only stores data until the computer is switched off, so yes, that makes it an unreliable place to STORE data, you are correct. However, the question is - will a suspect WANT to store data? Probably not, at least not the data we would consider evidence. Thus, sometimes RAM is the best source of internet evidence through the course of digital investigation. Cookies, URL's, logins and passwords, in-private browsing history - this is all going to be in RAM, so we highly recommend to acquire RAM from a running computer as the first step - if it is possible, of course. More on the topic http//belkasoft.com/en/live-ram-forensics; http//articles.forensicfocus.com/2015/05/26/acquiring-windows-pcs; video tutorial on RAM acquisition https://www.youtube.com/watch?v=lnC1mV8Zg08 (using free Live RAM Capturer http//belkasoft.com/en/ram-capturer)