Investigating a Live System

Some systems can not be shut down no matter what the risk or what the compromise.
This is a worse case senario and forensic results are generally not good.
FIRE CD contains static tools for live systems.
Only resort to an investigation on a live system if all else fails.
- Watch for trojan horses and "root kits"
- The attacker could be watching the watcher!
- Use static binaries!
- Trust nothing!
- Document everything!

Some systems can not be shut down no matter what the risk or what the compromise.