I noticed some interesting behaviour when playing with Helix recently. It ships with a number of cygwin tools including netcat for gathering evidence and sending it to remote systems. I started a netcat listener on my local PC and tried using Helix to capture evidence from the same PC using IRCR. Status: FAIL. Cause: the cygwin DLL loaded into memory by my bash shell and netcat listener clashed with the one on Helix so the script would not run sucessfully.
It strikes me that loading a copy of the cygwin DLL into memory can effectively break some forensics tools and could even subvert them to alter the results. Loading a poisoned cygwin DLL could be an effective anti-forensic technique if cygwin tools are used. This is also worth knowing if you plan to use Helix or similar tools to do live examination on Windows.