The general principle is to capture evidence in the order of volatility, from more volatile to less volatile. RFC 3227 sets out the general order as follows:
- CPU registers and cache memory (including cache on disk controllers, GPUs, and so on).
- Routing table, arp cache, process table, kernel statistics.
- Memory (RAM).
- Temporary file systems.
- Disk.
- Remote logging and monitoring data.
- Physical configuration and network topology.
- Archival media.