Windows Memory Forensic Toolkit is used to perform offline analysis of a physical memory. This is utility intended mainly for forensic-related investigative use. Current version can be used: to enumerate processes (linked by doubly linked list) and
processes hidden by DKOM, to display detailed data about each process
(e.g. info from access_token, data section control areas), to enumerate page frames which belongs to each process and to identify a process to which any
Page Frame Number belongs.
