Surveying the user space through user allocations

Previous research into memory forensics has focused on understanding the structure and contents of the kernel space portions of physical memory, and mostly ignored the contents of the user space. This paper describes the results of a survey of user space virtual address allocations in the Windows XP and Windows 7 operating systems, comprehensively identifying the kernel and user space metadata required to identify such allocations. New techniques for determining the role and content of those allocations are identified, significantly increasing the proportion of allocations for which the role and function is understood. The validity of this approach is evaluated and a detailed analysis of the data structures involved provided. An implementation of this approach is presented which is capable of identifying all user space allocations, and for those allocations identifying for a high percentage, the role of those allocations, even for complex applications.