Structural analysis of the Windows NT heap for memory forensics
Uroz, Daniel ; Díaz-Campo Pinilla, Abraham ; Rodríguez, Ricardo J. (Universidad de Zaragoza)
Resumen: Modern attacks increasingly target user-space memory, leveraging dynamic heap allocations to store payloads, obfuscate runtime behavior, and evade traditional detection mechanisms. These heap-based techniques complicate memory forensics, as existing tools typically treat dynamic memory as a flat, unstructured region. To address this gap, in this paper we present a forensic methodology for the extraction and structural analysis of Windows NT heap entries, implemented in an open-source plugin for the Volatility 3 framework, called HeapList. Our approach supports all major Windows versions, from Vista to Windows 11, on both ×86 and ×64 architectures. We reconstruct the backend and frontend heap layers, decode encoded metadata, and enable navigation and directed extraction of heap entries. We validate our methodology through cross-verification with WinDbg and controlled testing using the Windows Heap API. Additionally, we discuss how our plugin can facilitate reverse engineering, the identification of dynamic payloads, heap layout inspection, and memory triage. By providing structured access to user-space heap memory, our work improves forensic visibility into dynamic memory and enables deeper analysis of heap-centric behavior in modern threat landscapes. Finally, we demonstrate the applicability of our approach in real-world scenarios by extracting information relevant to forensic analysis of user-space applications (specifically, from Telegram Desktop) through heap analysis.
Idioma: Inglés
DOI: 10.1016/j.fsidi.2026.302060
Año: 2026
Publicado en: Forensic science international. Digital investigation 56 (2026), 302060 [9 pp.]
ISSN: 2666-2817
Financiación: info:eu-repo/grantAgreement/ES/DGA/T21-23R
Financiación: info:eu-repo/grantAgreement/ES/MCIU/PID2023-151467OA-I00
Financiación: info:eu-repo/grantAgreement/EUR/MICINN/TED2021-131115A-I00
Tipo y forma: Article (Published version)
Área (Departamento): Área Lenguajes y Sistemas Inf. (Dpto. Informát.Ingenie.Sistms.)
Exportado de SIDERAL (2026-04-10-13:47:03)
Visitas y descargas
Idioma: Inglés
DOI: 10.1016/j.fsidi.2026.302060
Año: 2026
Publicado en: Forensic science international. Digital investigation 56 (2026), 302060 [9 pp.]
ISSN: 2666-2817
Financiación: info:eu-repo/grantAgreement/ES/DGA/T21-23R
Financiación: info:eu-repo/grantAgreement/ES/MCIU/PID2023-151467OA-I00
Financiación: info:eu-repo/grantAgreement/EUR/MICINN/TED2021-131115A-I00
Tipo y forma: Article (Published version)
Área (Departamento): Área Lenguajes y Sistemas Inf. (Dpto. Informát.Ingenie.Sistms.)
Exportado de SIDERAL (2026-04-10-13:47:03)
Permalink:
Visitas y descargas
Este artículo se encuentra en las siguientes colecciones:
articulos > articulos-por-area > lenguajes_y_sistemas_informaticos
Notice créée le 2026-04-10, modifiée le 2026-04-10