Uroz, Daniel; Pinilla, Abraham Díaz-Campo; Rodríguez, Ricardo J.
Structural Analysis of the Windows NT Heap for Memory Forensics Journal Article
In: Forensic Science International: Digital Investigation, vol. PP, no. PP, pp. PP, 2026, ISSN: 2666-2817, (Selected Papers of the Thirdteenth Annual DFRWS Europe Conference. Accepted for publication. To appear.).
Abstract | Links | BibTeX | Tags: Heap Forensics, Low Fragmentation Heap, memory forensics, Volatility 3, Windows NT Heap
@article{Uroz2026,
title = {Structural Analysis of the Windows NT Heap for Memory Forensics},
author = {Daniel Uroz and Abraham Díaz-Campo Pinilla and Ricardo J. Rodríguez},
url = {https://webdiis.unizar.es/~ricardo/files/papers/UrozDR-FSIDI-26.pdf},
issn = {2666-2817},
year = {2026},
date = {2026-03-01},
journal = {Forensic Science International: Digital Investigation},
volume = {PP},
number = {PP},
pages = {PP},
abstract = {Modern attacks increasingly target user-space memory, leveraging dynamic heap allocations to store payloads, obfuscate runtime behavior, and evade traditional detection mechanisms. These heap-based techniques complicate memory forensics, as existing tools typically treat dynamic memory as a flat, unstructured region. To address this gap, in this paper we present a forensic methodology for the extraction and structural analysis of Windows NT heap entries, implemented in an open-source plugin for the Volatility 3 framework, called tt HeapList. Our approach supports all major Windows versions, from Vista to Windows 11, on both x86 and x64 architectures. We reconstruct the backend and frontend heap layers, decode encoded metadata, and enable navigation and directed extraction of heap entries. We validate our methodology through cross-verification with tt WinDbg and controlled testing using the Windows Heap API. Additionally, we discuss how our plugin can facilitate reverse engineering, the identification of dynamic payloads, heap layout inspection, and memory triage. By providing structured access to user-space heap memory, our work improves forensic visibility into dynamic memory and enables deeper analysis of heap-centric behavior in modern threat landscapes. Finally, we demonstrate the applicability of our approach in real-world scenarios by extracting information relevant to forensic analysis of user-space applications (specifically, from Telegram Desktop) through heap analysis.},
note = {Selected Papers of the Thirdteenth Annual DFRWS Europe Conference. Accepted for publication. To appear.},
keywords = {Heap Forensics, Low Fragmentation Heap, memory forensics, Volatility 3, Windows NT Heap},
pubstate = {published},
tppubtype = {article}
}
Modern attacks increasingly target user-space memory, leveraging dynamic heap allocations to store payloads, obfuscate runtime behavior, and evade traditional detection mechanisms. These heap-based techniques complicate memory forensics, as existing tools typically treat dynamic memory as a flat, unstructured region. To address this gap, in this paper we present a forensic methodology for the extraction and structural analysis of Windows NT heap entries, implemented in an open-source plugin for the Volatility 3 framework, called tt HeapList. Our approach supports all major Windows versions, from Vista to Windows 11, on both x86 and x64 architectures. We reconstruct the backend and frontend heap layers, decode encoded metadata, and enable navigation and directed extraction of heap entries. We validate our methodology through cross-verification with tt WinDbg and controlled testing using the Windows Heap API. Additionally, we discuss how our plugin can facilitate reverse engineering, the identification of dynamic payloads, heap layout inspection, and memory triage. By providing structured access to user-space heap memory, our work improves forensic visibility into dynamic memory and enables deeper analysis of heap-centric behavior in modern threat landscapes. Finally, we demonstrate the applicability of our approach in real-world scenarios by extracting information relevant to forensic analysis of user-space applications (specifically, from Telegram Desktop) through heap analysis.