Historically, only file systems were considered as a storage where evidence could be found. But what about the volatile memory which contains a huge amount of useful information? What about anti-forensic methods of defeating forensic and incident response tools? Why a content of the memory is not dumped during a process of a data collection from a suspicious computer. How to analyze the physical memory? Is it possible? I will try to find the answer. During the presentation methods of investigations of the physical memory from a compromised machine will be discussed. Through these methods, it is possible to extract useful information from the memory such as: a full content of files, detailed information about each process (e.g. owner, MAC times, content) and also about processes that were being executed and were terminated in the past. This presentation aims to explain the concepts of the memorys digital investigations. The techniques covered during the presentation will lead you through the process of analyzing important structures and recovering a content of files from the physical memory. As an integral part of presentation new ways of detecting hidden objects will be presented. This methods can be used to identify compromised machines and to detect malicious code such memory-resident rootkits or warms. Discussed methods allows us to detect objects which were hidden by Direct Kernel Object Manipulation (DKOM) technique. Finally, toolkits will be presented to help an investigator to extract some information from an image of the physical memory or from the memory object on live system. Currently, a POC exist, but I am going to develop full version which allows to extract information from Linux and Windows memory images.