The collection element is where digital forensic examiners begin the process of acquiring the digital evidence. When examining digital evidence, it is important to understand the volatile nature of some of the evidence that an examiner will want to look at. Volatile evidence is evidence that can be lost when a system is powered down. For network equipment this could include active connections or log data that is stored on the device. For laptops and desktops, volatile data includes running memory or the Address Resolution Protocol cache. The Internet Engineering Task Force (IETF) has put together a document titled Guidelines forEvidence Collection and Archiving (RFC 3227) that addresses the order of volatility of digital evidence: ...

Get Digital Forensics and Incident Response now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.