Summary
When creating memory images, you must consider not only the general concept but also factors unique to each individual operating system. For the Windows operating system, such a factor is access to the /Devices/PhysicalMemory kernel object.
Most modern tools use kernel drivers to create dumps, but some tools have their own unique approach, manifested by using alternatives to the classic /Devices/PhysicalMemory mapping.
Despite the variety of tools for Windows memory extraction, it is worth remembering that the best tool is the one that has been successfully tested on systems identical—or at least, very similar—to the target.
In this chapter, we have learned how to create memory dumps using various free tools. Now, it's time to start looking inside them! In the next chapter, we will get to know the tools for Windows memory-dump analysis and learn how to search for traces of user activity.
