When collecting electronic evidence at a crime scene, the data collection should proceed from most volatile to least volatile. Which statement best describes this principle?

The idea being tested is that volatile data should be collected before less volatile data because it can vanish quickly. RAM contents, running processes, open network connections, and other in-memory artifacts are extremely transient. If you delay, these details can disappear when the system is powered down, rebooted, or subjected to time passage, making it impossible to know the exact state of the machine at the moment of seizure. So, investigators perform live acquisitions to capture memory and volatile system state first (memory dumps, process lists, active connections, recently opened files, etc.), then proceed to acquire non-volatile evidence like disk images, logs stored on disks, and other persistent artifacts. This order preserves the most ephemeral information and helps maintain a reliable, defensible evidence record. Because volatile data is at risk of being lost, the statement that this principle is true is correct.