About the best you can do would be to browse the contents of the $MFT as available within the memory capture. Some of those files may actually be present within memory, and recoverable. That said, there isn't a virtual directory hierarchy that re-creates the entire file system structure. Also remember that there are no guarantees in memory forensics -- what you are looking for *may* be present, or it may have been paged to disk and not available in the memory capture. Also keep in mind that at some point, everything you do on a computer system (websites you visit, pictures you view, documents you create, etc.) traverses the memory. So, there can be a lot of interesting evidence and potentially valuable content therein -- but again, just no guarantees.

WinPmem is usually my go-to.

@@13Cubed Thank you kind sir! Keep up the superb work :)

Look at the version history for Dokany and try to install a previous release instead of the newest release. See if it will let you proceed then.

@@13Cubed Thanks. I tried that but because Win10 did not fully uninstall Dokany, I cannot install any version.

If you use Hibernation Recon to extract the active memory from hiberfil.sys, it should work. Check out the Windows Hibernation Files episode for more information on how to do that.

Check the progress_percent.txt file -- that should display the percentage complete for the forensic process. It can take 15-20 minutes or longer, depending on the speed of your system and the size of the image. It should be at 100 when complete.