Recall that system memory (RAM—Random Access Memory) is volatile. That means that once the computer system is shut down or restarted, all information in memory is lost. If you come across a powered system, do not shut it down or restart it! You'll want to extract the contents of memory to analyze this! Keep in mind that this is an essential source of information as it does not exist anywhere else, and we do not want to lose this data. m

Below are three demonstrations of extracting and analyzing system memory. The first demo will use the LiME Kernel Module in Linux. The second demo will show how to install and use Volatility 3. Finally, we will use FTK Imager to extract the memory contents and the pagefile.sys. If you are unfamiliar with the page file, consider this an extension of your computer's physical memory (RAM). If you have too many programs open simultaneously, you might run out of RAM. The operating system will use the hard drive as virtual memory to handle this. Think of the pagefile.sys as extra RAM that gets used when needed. This is another excellent reason why we want to extract this file and be able to analyze it.  This file is placed in Windows C:\ location by default, but it is hidden.