Forensic analysis of windows user space applications through heap allocations

Memory analysis is now used routinely for incident response and forensic applications. Current memory analysis techniques are very effective in finding kernel artifacts of significance to the forensic investigator. However, the analysis of user space applications has not received enough attention so far. We identify the lack of pagefile support in analysis and acquisition as a major hurdle in the analysis of user space applications. We present a set of patches to the Rekall Memory Forensic platform that enable the analysis of pagefiles on all operating systems. We then continue by studying the process heaps, and in particular the Windows userspace heap allocator. We present a set of plugins to enumerate heap allocations and discover internal references. We demonstrate that using the heap allocations as a guide, it is easier to reverse engineer user space private data structure simply by observation. Finally, we apply the heap analysis technique to study the allocations made by the windows DNS client cache.