There's an interesting article on SecurityFocus about running a forensic analysis on a live Linux system. This would be applicable in situations where, for example, a server has been rooted, but you need to find out how and by whom.
This first article introduces the process and focuses on preparing the environment and data collection. Part Two will focus on the analysis stage. Definitely worth a read.