Commercial tools are finally catching up to what forensic researchers have been focusing on and developing tools for during the last two years: analysis of Windows memory images. With Windows XP and earlier, the physical memory could be imaged using George Garner’s modified version of “dd” Forensic investigators had to dump the memory from running Windows systems limited to looking for ASCII and Unicode text strings. Some investigators also do “file carving” to help collect clues about a case. Research based on the DFRWS forensic challenge showed that information from processes that had terminated or were running prior to that last system reboot still existed in memory.”]
Source: https://www.darkreading.com/attacks-breaches/forensics-tools-a-closer-look