000170349 001__ 170349 000170349 005__ 20260410165451.0 000170349 0247_ $$2doi$$a10.1016/j.fsidi.2026.302060 000170349 0248_ $$2sideral$$a148830 000170349 037__ $$aART-2026-148830 000170349 041__ $$aeng 000170349 100__ $$0(orcid)0000-0001-5484-2842$$aUroz, Daniel 000170349 245__ $$aStructural analysis of the Windows NT heap for memory forensics 000170349 260__ $$c2026 000170349 5060_ $$aAccess copy available to the general public$$fUnrestricted 000170349 5203_ $$aModern attacks increasingly target user-space memory, leveraging dynamic heap allocations to store payloads, obfuscate runtime behavior, and evade traditional detection mechanisms. These heap-based techniques complicate memory forensics, as existing tools typically treat dynamic memory as a flat, unstructured region. To address this gap, in this paper we present a forensic methodology for the extraction and structural analysis of Windows NT heap entries, implemented in an open-source plugin for the Volatility 3 framework, called HeapList. Our approach supports all major Windows versions, from Vista to Windows 11, on both ×86 and ×64 architectures. We reconstruct the backend and frontend heap layers, decode encoded metadata, and enable navigation and directed extraction of heap entries. We validate our methodology through cross-verification with WinDbg and controlled testing using the Windows Heap API. Additionally, we discuss how our plugin can facilitate reverse engineering, the identification of dynamic payloads, heap layout inspection, and memory triage. By providing structured access to user-space heap memory, our work improves forensic visibility into dynamic memory and enables deeper analysis of heap-centric behavior in modern threat landscapes. Finally, we demonstrate the applicability of our approach in real-world scenarios by extracting information relevant to forensic analysis of user-space applications (specifically, from Telegram Desktop) through heap analysis. 000170349 536__ $$9info:eu-repo/grantAgreement/ES/DGA/T21-23R$$9info:eu-repo/grantAgreement/ES/MCIU/PID2023-151467OA-I00$$9info:eu-repo/grantAgreement/EUR/MICINN/TED2021-131115A-I00 000170349 540__ $$9info:eu-repo/semantics/openAccess$$aby-nc-nd$$uhttps://creativecommons.org/licenses/by-nc-nd/4.0/deed.es 000170349 655_4 $$ainfo:eu-repo/semantics/article$$vinfo:eu-repo/semantics/publishedVersion 000170349 700__ $$aDíaz-Campo Pinilla, Abraham 000170349 700__ $$0(orcid)0000-0001-7982-0359$$aRodríguez, Ricardo J.$$uUniversidad de Zaragoza 000170349 7102_ $$15007$$2570$$aUniversidad de Zaragoza$$bDpto. Informát.Ingenie.Sistms.$$cÁrea Lenguajes y Sistemas Inf. 000170349 773__ $$g56 (2026), 302060 [9 pp.]$$pForensic sci. int. digital invest.$$tForensic science international. Digital investigation$$x2666-2817 000170349 8564_ $$s1313073$$uhttps://zaguan.unizar.es/record/170349/files/texto_completo.pdf$$yVersión publicada 000170349 8564_ $$s2718392$$uhttps://zaguan.unizar.es/record/170349/files/texto_completo.jpg?subformat=icon$$xicon$$yVersión publicada 000170349 909CO $$ooai:zaguan.unizar.es:170349$$particulos$$pdriver 000170349 951__ $$a2026-04-10-13:47:03 000170349 980__ $$aARTICLE