This document discusses live data collection during incident response and computer forensics investigations. It describes the goals of preserving volatile evidence while minimizing changes to the system. When to perform a live response is outlined, such as when volatile data contains critical information. Factors for selecting live response tools and what types of data to collect are provided. Best practices for collection such as automating, documenting, and testing processes on a test system first are recommended. Options for live data collection on Windows systems including prebuilt toolkits and building custom tools are presented. Memory collection using full memory dumps and specific tools is also covered.