In live-response best practices, which data category should be collected first to minimize data loss?

Volatile data is the system’s current state held in RAM—things like running processes, open network connections, loaded drivers, and memory-resident artifacts. Because this information lives in memory, it can disappear in moments if power is lost, the system is rebooted, or it crashes. Collecting it first preserves a snapshot of the live environment, capturing why the system was behaving a certain way and what indicators were present in memory, such as in-memory malware, credentials, or process relationships that aren’t stored on disk. After volatile data is captured, you can gather non-volatile data like disk contents and logs, which remain available but won’t reflect the immediate live state as accurately. Archived data or documentation alone don’t provide the timely, transient evidence needed to reconstruct the incident as it unfolded.