Digital Forensics focuses on the collection of evidence from the volatile and non-volatile memory of a computer-based system, such as the hard disk and the RAM content. Needless to say, hard disk data are crucial in the investigation, but whether hard disk data collection is possible or not depends on the features of the case, and whether the forensics practitioners have a suitable legal permission. As nowadays the capacity of hard disks is increasing more and more, it takes a considerable amount of time to perform the imaging phase, and thus to deal with different steps in the chain of custody of the case. As a consequence, delaying the collection step in the investigation may have a detrimental effect on the progress of the investigation or may be a barrier to succeed in the investigation. Hence, we suggest an efficient methodology to collect evidence for dealing with data leak cases, by substantially reducing the collection time.