Because the built-in commands in Live Response include put to put a file on the remote system and exec and execfg to execute processes on the system, responders can arbitrarily extend the capabilities of Live Response beyond the built-in commands.

For example, an investigator could take the following series of actions:

• Upload yara.exe and search memory for your custom yara signatures.
• Upload winpmem.exe and dump a memory image.
• Upload sbag.exe and parse the registry for Shellbags artifacts.
• Upload a custom PowerShell script and execute it with powershell.exe .

Although the library of built-in commands in Live Response will grow, it will never include every command for every situation. The ability to use put, file, and create process together assures that you have the freedom to add utilities you need for forensics and incident response. Additional capabilities are provided by a Live Response API. See Live Response API Reference.