To analyze a compromised computer or analyze the behavior of malware you will need tools like FTK Imager. You can perform memory dump of the compromised machine and export it to external storage device, extract process-related information from memory snapshots, threads, strings, dependencies and communications.
You can also examine Windows operating system files such as Pagefile.sys where virtual memory is stored and Hiberfil.sys where in-memory data are stored while the system is in Hibernation mode. Both files are hidden and in use by the OS. With FTK you can copy these files and examine them.
You will find it in AccessData’s site. Download