System memory is the working space of the operating system. The operating system uses memory to place the data that is needed to execute programs and the programs themselves. This is why acquiring the system memory is one of the steps that must be performed when applicable in digital forensics. Analyzing the memory may reveal the existence of a malicious process or program that has no traces in the machine hard disk. Memory also contains the opened network connections, which could include the connection of an attacker controlling the machine or stealing user data and information.
In this chapter, we will briefly discuss the Windows memory structure, some techniques that are used by attackers to hide their malicious activities and existence, and the tools that are used to investigate memory dump.