The Bottom Line
Prepare, test, verify, and document a toolkit for analyzing live systems. The toolkit that you prepare for acquisition and subsequent analysis of a compromised system must be thoroughly tested and verified by you or someone in your unit before it can ever be used during an actual response against a live business-critical server or in a large-scale intrusion investigation. Failure to do so will result in severe consequences not only for you but potentially for the system(s) involved.
All systems are different and can be installed on different architectures. As an investigator you must know how to properly respond to a live system regardless of how it’s configured and successfully acquire its RAM for subsequent analysis.