Hooking is usually used by rootkits, forcing the kernel to hide all activities that are related to the malware and to intercept the user input in order to steal sensitive information from the user. This used to be achieved by manipulating the output of the API calls by the system kernel. This can be deceptive in live analysis during the incident-handling process. In depth analysis of the memory image acquired during the evidence acquisition of the infected system would making it much easier to detect such behavior. Hooking is done simply by redirecting the normal flow of one process execution to execute malicious code in another location in the memory, and then return back to complete the normal process code.