As highlighted on the home page the ACPO have released the latest version of their document - direct line
Just reading through it and on Page 18 - Network forensics & volatile data it reads ….
"All of the above may be run from a forensically sound,
bootable, floppy disk, DVD / CD-ROM or USB Flash Drive. The later is recommended (with the exception of systems running Windows 9x)"
I'm just throwing it out here but to me this is wrong. In terms of volatile data to plug a USB stick into the machine inherently altars the system.
Surely a written CD, with the tools on it that doesn't have autorun enabled, which is written on a CD-R (thus no chance of any changes) would be much better?
I've used some network based tools aswell that adopt a client/server architecture for obtaining volatile data and they worked. I did read an article regarding Widnows Forensic Toolkit where academics found the application to modify more files once inserted than leaving the computer running idly for 15 hours.