There is a good deal of volatile information on a live system that an administrator or investigator can use to determine what may have occurred during the incident. This information can be used for general troubleshooting purposes or as part of an investigation. This information is usually retained in memory while the system is operating and tends to disappear when the system is shut down. Volatile information generally consists of:
Logged on user(s)
All of this information in its various forms can be retrieved using freeware utilities, tools native to the systems, and Perl scripts. ...