RAM File System in Python

One of the first things you are taught when studying Computer Forensic Investigation is the concept of evidence volatility. Simply put, some pieces of evidence will be available for collection for a much shorter amount of time than other pieces. You must always collect evidence from the most to least volatile. For a concrete example of "why" this practice must be applied you can consider the bot I have developed below.

Incident Response Reading Material

The SANS institute has been nice enough to collect a list of checklist and procedural documentation to aid the Computer Forensic Examiner in the possible tasks they may be faced with. https://www.sans.org/score/checklists