When collecting artifacts or evidence, it is essential to remember that some parts of a computer system are more volatile than others. Brezinski and Killalea (2002) published an RFC known as RFC-3227. This RFC outlined the current best practices for evidence collection. RFC-3227 included a table listing artifacts in their order of volatility.
The following list provides data locations in order from most to least volatile.
1. Registers, Cache
2. Routing Table, Arp Cache, Process Table, Kernal Statistics, Memory
3. Temporary File Systems
4. Disk
5. Remote Logging and Monitoring Data that is Relevant to the System in Question
6. Physical Configuration, Network Topology
7. Archival Media
Figure 1
Order of Volatility table from RFC-3227 (Brezinski & Killalea, 2002)
The order of volatility is vital as more volatile evidence is more easily lost. In the event of a power failure, evidence such as registers, cache, memory, and more may be lost. On the other hand, evidence on a computer's file system should not be affected by a loss of power. Capturing digital evidence in the order of volatility can minimize the potential that artifacts are missed.
References:
Brezinski, D., Killalea, T. (2002). Guidelines for Evidence Collection and Archiving.