Not all evidence on a host system is the same. Volatility is used to describe how data on a host system is maintained after changes such as log-offs or power shutdowns. Data that will be lost if the system is powered down is referred to as volatile data. Volatile data can be data in the CPU, routing table, or ARP cache. One of the most critical pieces of volatile evidence is the memory currently running on the system. When investigating such incidents as malware infections, the memory in a live system is of critical importance. Malware leaves a number of key pieces of evidence within the memory of a system and, if lost, can leave the incident response analyst with little or no avenue to investigate.

Non-volatile data is the data that is stored on a hard drive and will usually persist after shut down. Non-volatile data includes Master File Table (MFT) entries, registry information, and the actual files on the hard drive. While malware creates evidence in memory, there are still items of evidentiary value in non-volatile memory.