The memory forensic research oriented to segment heap in Windows 10 system

The current forensic research on heaps mainly extracts information from the heap of Linux and the NT heap of Windows. However, the study of how to extract the information on the segment heap in the Windows 10 from dump files is not sufficient. To reproduce the internal information on the segment heap, this paper proposes a method for locating and extracting the internal information on the segment heap in the Windows 10 according to the field offset in the vtype description information of memory object. The method uses the pool scanning technology to locate the process object, obtains the starting position of the process heap and scans the process heap according to the structural information on the process object and the process environment block object. Then it locates the position of the segment heap with its feature values, thereby extracting its internal information. Based on the analysis results, five forensic plugins for extracting the information on the segment heap were developed on the Volatility framework. The experimental results show that this method can effectively extract the information on the address of each segment heap and its internal components in the memory and on the size of committed memory, etc. The information can help investigators to analyze the digital traces left in the memory by cyber criminals or cyber attackers.