The collection element is where digital forensics examiners begin the process of acquiring digital evidence. When examining digital evidence, it is important to understand the volatile nature of some of the evidence an examiner will want to look at. Volatile evidence is evidence that can be lost when a system is powered down. For network equipment, this could include active connections or log data that is stored on the device. For laptops and desktops, volatile data includes running memory or the Address Resolution Protocol (ARP) cache.

The Internet Engineering Task Force (IETF) has put together a document titled Guidelines for Evidence Collection and Archiving (RFC 3227) that addresses the order of volatility of digital evidence, as follows:

• Registers and cache
• Routing table, ARP cache, process table, kernel statistics, memory (RAM)
• Temporary filesystems
• Disk
• Remote logging and monitoring data
• Physical configuration, network topology
• Archival media

It is imperative that digital forensics examiners take this volatility into account when starting the process of evidence collection. Methods should be employed whereby volatile evidence is collected and moved to a non-volatile medium, such as an external hard drive.