Now that I have a few minutes..I'd like to drag this thread out of its grave...

One of the long standing debates in forensic circles is "pull the plug" or "capture data then yank it". Pulling the plug is what NIST suggests we do, however there can potentially be a gold mine of information to be collected on a live system. The answer to this is generally a judgement call. Can you capture data from a live system without modifying it, or modifying it in a proven manner such that any thing that gets modified won't decapitate your investigation? If a live forensics tool is documented to show that it only changes certain system files, then your case could perhaps be bolstered by the information collected on a live system.

Live forensics is what some people might call incident response. It's the act of responding to a live system and collecting pertinent data to determine if it's simply a security event or an incident that requires taking the box offline for further analysis. Calling live forensics a waste is foolish due to the fact that when an RCA(root compromise analysis) is neccessary(and you all do this every time you respond to a real incident don't you?), you are more than doubling your work without conducting a live investigation of the system.
In a criminal forensics incident, you'd be looking for data that helps you work the case. Examples would be traces of a shredding program running, pulling print jobs from the spooler, or grabbing an encryption key from memory.

Live forensics largely consists of gathering process lists, physical memory dumps, active network connections, pagefile contents and user lists as well as several other types of data.
The tool that Monty has created(WFT) does a wonderful job of illustrating the state of the computer, before you pull the plug.

There are a number of tools on the Market that do "live forensics" Here's a few:
WFT - Windows Forensics Toolchest
FSP - Forensic Server Project - by Harlan Carvey get it at: windows-ir.com
Encase (as was mentioned)
Pro-discover - techpathways.com
Wetstone Gargoyle - wetstone technologies - wetstonetech.com(right near mah house!)
OnlineDFS - ATC-NY http://oracorp.com/Products.html(right near mah house too!)
Helix -FRED & netcat - e-fense.com/helix

There is something to be said for an ounce of prevention...but this is forensics, not network security. Forensics is the act of responding to an incident(whether criminal or otherwise), it's not about prevention, it's about finding out how the net/sys admins ****ed up and helping to prevent it from happening again. Or it's about responding to some sick ****ing pedo or murder or any other criminal incident.

Take my current case right now where an organization may have to shell out $500,000 because of one stupid mistake. **** happens, it's my job to help show how it happened so it doesn't happen again.

As for foolmoon pimping out his product, it's a welcome addition in my books. We need more people like Monty busting their asses providing valuable resources for free. I don't make enough to purchase products like Encase so I depend on free software that some very talented people put together.