Usually, networks are used by attackers to control the machine remotely, to send captured user information, or to receive new commands. Checking the network connections, which were opened in the system at the time of acquisition, would provide clues about the attack.

Network activities in general leave traces in memory. Investigating network connections could lead to discovery of a hidden connection created by rootkits. These connections can be hidden from normal listing tools in the same way that can be done with the processes. Carving for the network connection structure in memory can reveal such connections.

Another technique to hide a connection is to inject code into a legitimate process to open a malicious connection, so we need to check all the connections in the memory file.