The memory forensic research oriented to segment heap in Windows 10 system

面向Windows 10系统段堆的内存取证研究

School of Computer Science and Technology, Harbin University of Science and Technology, Harbin 150080, China

Received: 4 March 2020

Abstract

The current forensic research on heaps mainly extracts information from the heap of Linux and the NT heap of Windows. However, the study of how to extract the information on the segment heap in the Windows 10 from dump files is not sufficient. To reproduce the internal information on the segment heap, this paper proposes a method for locating and extracting the internal information on the segment heap in the Windows 10 according to the field offset in the vtype description information of memory object. The method uses the pool scanning technology to locate the process object, obtains the starting position of the process heap and scans the process heap according to the structural information on the process object and the process environment block object. Then it locates the position of the segment heap with its feature values, thereby extracting its internal information. Based on the analysis results, five forensic plugins for extracting the information on the segment heap were developed on the Volatility framework. The experimental results show that this method can effectively extract the information on the address of each segment heap and its internal components in the memory and on the size of committed memory, etc. The information can help investigators to analyze the digital traces left in the memory by cyber criminals or cyber attackers.

摘要

目前有关堆的取证研究主要是针对Linux系统的堆和Windows系统的NT堆，然而怎样从转储文件中提取出Windows 10系统段堆信息并没有得到充分研究。为了重现Windows 10系统中段堆的内部信息，提出根据内存对象vtype描述信息中字段偏移定位并解析段堆内部信息的方法。使用池扫描技术定位进程对象，根据进程对象和进程环境块对象的结构信息获取进程堆的起始位置并扫描进程堆，再使用段堆特征值定位段堆的位置，进而提取出段堆的内部信息。依据分析结果，研发了基于Volatility框架的5个段堆取证插件。实验结果表明文中方法可以有效地提取进程中每个段堆及其内部组件在内存中的地址、占用的内存大小等信息，这些信息可以帮助调查人员分析网络犯罪或网络攻击在内存中留下的数字痕迹。