Live forensics investigates a running system to capture volatile data before shutdown — RAM, running processes, network connections, logged-in users, encryption keys.
Memory forensics is only possible on a live system. Balance: live forensics preserves volatile evidence; but powered system = attacker may have a tripwire. Capture RAM first, then decide whether to power off. IR playbook should prescribe the approach.