In addition to the pieces of evidence an investigator may
collect with the techniques described in the previous sections,
a memory image frequently contains a myriad of information
about the system state that can be of great beneﬁt to an
investigation. Especially the aforementioned _EPROCESS block
is a source of valuable data.