The host operating system is where many traditional forensic investigations begin and end. The forensic evidence resides in disk storage accessible by the host operating system, which stores metadata about the evidence that cannot be accessed from other layers. The same cannot necessarily be said for Hadoop, but there are methods for collecting HDFS data from the host operating system.

Currently, HDFS is not natively recognized by any of the modern operating systems, so HDFS cannot be natively accessed by the host operating system as a filesystem. HDFS is stored in the host operating system's filesystem, but this information resides in the allocated space that cannot be read from the host operating system. This means an investigator cannot easily perform a forensic collection of HDFS data through the host operating system. There are three primary methods for collecting Hadoop evidence from the host operating system: