This chapter is dedicated to some issues that are related to the acquisition of data, which has changed very fast. Due to its nature, it reflects the state of the system at a certain time because the collection of data takes place on a live system.
The Request for Comments RFC 3227 document provides a list of digital evidence and the order in which it should be collected. The main principle that should guide this is that the most rapidly changing data should be collected first.
The list of evidence from RFC comprises the following:
Registers and cache CPU
Routing table, ARP cache, process table, kernel statistics, and memory
Temporary filesystems
Disk
Remote logging and monitoring data that is relevant to the system's media
Physical configuration and network topology
Archival media
According to this list, the volatile data which should be collected first are memory and network related data.