To the analyst, RAM is just a large blob of data with minimal structure, at least not the structure that we are expecting to see when it comes to operating systems.

RAM is volatile, meaning it can easily be flushed and is not used for long term storage. A computer stores information in a memory address, which can later be retrieved by a computer's hardware device, or a software application. Any actively used information or data by a computer program or hardware device will run through the system's RAM at the time it is being used. This is what makes RAM so important when conducting computer forensics. So why is RAM analysis not a part of every computer forensic investigation? There are two main reasons.

1. Procedural: Is it okay for law enforcement or first responders to introduce artifacts to the computer system? For RAM to be acquired the target system has to be running and a collection program has to be introduced to the computer system and executed, hence leaving an acquisition footprint. With the advances in malware technology, acquisition of RAM might provide the only evidence that a crime or intrusion was committed. Over time the court system will begin to adopt the fact that law enforcement or first responders have introduced footprints onto the target system during RAM acquisition. Documentation by those conducting the acquisition is key.
2. Physical: If the computer is shutdown the contents of RAM have been flushed from the computer wiping away all active information in the RAM.

From: Memory Forensics: Where to Start by Mark Wade