Chapter 3. Volatile Data Collection

This chapter is dedicated to some issues that are related to the acquisition of data, which has changed very fast. Due to its nature, it reflects the state of the system at a certain time because the collection of data takes place on a live system.

The Request for Comments RFC 3227 document provides a list of digital evidence and the order in which it should be collected. The main principle that should guide this is that the most rapidly changing data should be collected first.

The list of evidence from RFC comprises the following:

• Registers and cache CPU
• Routing table, ARP cache, process table, kernel statistics, and memory
• Temporary filesystems
• Disk
• Remote logging and monitoring data that is relevant to the system's media
• Physical configuration and network topology
• Archival media

According to this list, the volatile data which should be collected first are memory and network related data.