The days of performing only traditional forensics on a host after a security incident are over. A shift to ‘live’ forensics and incident response investigations is underway, with a round of new tools focused specifically on collecting volatile data and memory analysis. Volatile data present only in physical memory could contain IP addresses, URLs, email addresses, passwords, and other information that could be important to an investigation. Traditional argument against performing any incident-response techniques and forensic analysis on a running system is that it could destroy evidence.”]
Source: https://www.darkreading.com/analytics/tech-insight-digital-forensics-incident-response-go-live