During live response pull memory and use cmdhistory.py by @iMHLv2. I use this technique daily to recover attacker cmds. http://code.google.com/p/volatility/source/browse/trunk/volatility/plugins/malware/cmdhistory.py