Collection

The collection element is where digital forensic examiners begin the process of acquiring the digital evidence. When examining digital evidence, it is important to understand the volatile nature of some of the evidence that an examiner will want to look at. Volatile evidence is evidence that can be lost when a system is powered down. For network equipment this could include active connections or log data that is stored on the device. For laptops and desktops, volatile data includes running memory or the Address Resolution Protocol cache. The Internet Engineering Task Force (IETF) has put together a document titled Guidelines forEvidence Collection and Archiving (RFC 3227) that addresses the order of volatility of digital evidence:

• Registers, cache
• Routing Table, ARP Cache, process table, kernel statistics, Memory (RAM)
• Temporary filesystems
• Disk
• Remote logging and monitoring data
• Physical configuration, network topology
• Archival media

It is imperative that digital forensic examiners take this volatility into account when starting the process of evidence collection. Methods should be employed where volatile evidence will be collected and moved to a non-volatile medium such as an external hard drive.