Examine the Live System and record open applications

If the machine is still active, any intelligence which can be gained by examining the applications currently open should be recorded. If the machine is suspected of being used for illegal communications, such as terrorist traffic, not all of this information may be stored on the hard drive. If information stored solely in RAM is not recovered before powering down it may be lost, so acquiring the data while the RAM is still powered is a priority. For most practical purposes, it is not possible to completely scan contents of RAM modules in a running computer. Though specialized hardware could do this, the computer may have been modified to detect chassis intrusion (some Dell machines, for example, can do this stock; software need only monitor for it) and removing the cover could cause the system to dump the contents. Ideally, prior intelligence or surveillance will indicate what action should be taken to avoid losing this information.
Several Open Source tools are available to conduct an analysis of open ports, mapped drives (including through an active VPN connection), and of significant importance, open or mounted encrypted files (containers) on the live computer system. Additionally, through Microsoft's implementation of the Encrypted File System (EFS), once a system is powered down, the difficulty to examine previously mounted EFS files and directory structures is substantially increased. Utilizing open source tools and commercially available products, it is possible to obtain an image of these mapped drives and the open encrypted containers in an unencrypted format. For Windows based systems, these Open Source tools include Knoppix and Helix. Commercial imaging tools include Access Data's Forensic Tool Kit and Guidance Software's Encase application. Both companies make available their imaging tools for free; however, in order to analyze the data imaged using these tools you will need to purchase a full licensed version of the application.
The aforementioned Open Source tools can also scan RAM and Registry information to show recently accessed web-based email sites and the login/password combination used. Additionally these tools can also yield login/password for recently access local email applications including MS Outlook.
With MS most recent addition, Vista, and Vista's use of BitLocker and the Trusted Platform Module (TPM), the importance of developing procedures for examining and imaging live (mounted unencrypted) systems is anticipated to significantly increase.
It is possible that in utilizing tools to analyze and document a live computer system that changes can be made to the content of the hard drive. During each phase of system analysis, the forensic examiner must document what they did and why they did it. Specifically, the examiner should detail the potentially perishable information that can/will be lost during a system power down process. The examiner must balance the need to potentially change data on the hard drive versus the evidentiary value of such perishable data.
RAM can be analyzed for prior content after power loss. Although as production methods become cleaner the impurities used to indicate a particular cell's charge prior to power loss are becoming less common. Data held statically in an area of RAM for long periods of time are more likely to be detectable using these methods. The likelihood of such recovery increases as the originally applied voltages, operating temperatures and duration of data storage increases. Holding unpowered RAM below - 60 °C will help preserve the residual data by an order of magnitude, thus improving the chances of successful recovery. However, the practicality of utilizing such a method in a field examination environment severely limits this approach.
As expeditious destruction of chronic residual stress within the module can really only be achieved by impractical exposure to high energies, applications written with data security in mind will periodically bit-flip critical data, such as encryption keys, to eliminate 'imprinting' of this data on the RAM, thus preventing the need to actively destroy it in the first place.[1]
It is important to note that that when preforming a live analysis that the order of volatility be followed. The data that is most likely to be modified or damaged first should be captured first. The order of volatility is.
1. Network connections
Network connections can close quickly and often leave no evidence of where they were connected to or the data being transfered.
2. Running Processes
It is important to note which programs are running on a computer before further analysis is conducted.
3. RAM
The systems Random Accessing Memory contains information on all running programs as well as recently run programs. The information that can be gained from the system ram includes Passwords, encryption keys, personal information and system and program settings.
4. System settings
The Operating system settings can now be extracted. this includes User lists, currently logged in users, system date and time, currently accessed files and current security policies.
5. Hard DiskThe hard disk can then be imaged. It is important to note that it is not forensically sound to image a hard drive while it is running live unless there are extenuating circumstances

Useful Links to Read:
01. cyber-crime
01. definition-of-computer-forensics