Evidence types:
Volatile (RAM, running processes, network connections — lost on power off),
Non-volatile (disk, logs, artifacts). Collect in volatility order: RAM first, then disk.
Order of volatility (most to least volatile): CPU registers/cache → RAM → swap/page file → disk → remote logging → backup media. Courts require proper chain of custody for admissibility. Hash evidence immediately. Document every action. Legal hold: don't delete evidence relevant to ongoing investigation.