Investigators today are increasingly facing situations in which the traditional, widely accepted computer forensic methodology of unplugging the power to a computer and then acquiring a bit-stream image of the system hard drive via a write blocker is, simply, not a viable option. For instance, it is becoming more common for investigators to encounter servers that are critical to business operations and cannot be shut down. Investigators and incident responders are also seeing instances in which the questions they ...