We have developed a hardware/software-based framework to perform live disk forensics on both physical and virtual machines. For physical machines, we developed a hardware SATA sensor capable of passively monitoring disk traffic. Similarly, for virtual machines, we inserted hooks into KVM and Xen to provide similar monitoring capabilities. Our software tools use The Sleuth Kit, pyTSK and analyzeMFT to convert the raw disk traffic into semantically useful data in real time. Our platform is difficult to detect and can perform functions such as live forensic analysis, tamper-resistant logging, and replay of disk events with minimal impact to the system under test. Thus, our framework provides researchers and developers a rich toolset for building live forensics and monitoring applications and for conducting forensics research.