The article examines the area of live digital forensic analysis and the methods that attackers use to hide evidence from investigators. The most common source of false data during live analysis is from rootkits, described as "Trojan horse backdoor tools that modify existing operating system software so that an attacker can keep access to and hide on a machine. A rootkit hides the attacker by inserting a filter in the data flow of a computer. Rootkits have been developed for each of the major interfaces. The most primitive rootkits were application-level rootkits, or usermode rootkits, that replaced system executables with Trojan versions that would not display file names, process names, open ports, or system configuration values. There are several countermeasures that exist to deal with rootkits. To counter application-level rootkits, an investigator can use a CD of trusted tools that he or she knows have not been modified. To counter library-level rootkits, an investigator can make sure the trusted tools on the CD are statically compiled so they do not use the Trojan libraries. However, finally one must say that live analysis may not produce reliable results, but it is useful in some cases.