HiveRecon and HbinRecon Launched

Mark Spencer

August 9, 2018

How does exposing Windows Registry data you’ve never seen before sound to you?

We launched two new tools with powerful and unique functionality today – HiveRecon and HbinRecon. We are confident that our customers and colleagues, particularly those interested in the maximum exploitation of electronic evidence, will be pleased that we are yet again exposing valuable information that has not been possible previously.

Summary of HiveRecon Functionality

HiveRecon extracts Registry hives from Windows hibernation and crash dump files, often extracting hives when other solutions have completely failed and extracting healthier (more intact) hives when other solutions have appeared to run successfully. HiveRecon also extracts volatile hives and can incorporate swap files from the same hibernation session to extract even healthier Registry hives than if using a hibernation file alone.

HiveRecon Features:

  • Extracts Windows Registry hives from hibernation and crash dump files
  • Support for both stable and volatile hives
  • Optional incorporation of pagefile from same session as hibernation
  • Hive header checksum patching
  • Detailed CSV output

  

Summary of HbinRecon Functionality

HbinRecon extracts Windows Registry hive bins (hbins) from any input and decodes the data they contain. Hive bins are essentially the building blocks of Registry hives. Examples of HbinRecon input include healthy Registry hives, fragmented hives, hive transaction logs, and unallocated space. HbinRecon is a surgical tool which is extremely useful in both testing and verification related to Registry data as well as uncovering valuable data not accessible using other methods.

HbinRecon Features:

  • Identifies and parses Windows Registry hive bins from any input
  • Hive (full/partial), transaction log, and hive bin slack identification
  • Multiple scan modes for more efficient processing
  • Decodes nk, vk, sk, lf, lh, li, ri, and db records
  • Date/time decoding (RegFiletime/RegQWord/RegBinary values)
  • Powerful nk and vk hunting modules beginning with “BAM Hunter”
  • Resident and non-resident data options
  • Hive bin carver to carve hive bins from extremely large input
  • CSV output with customizable record separator

Why did we build these new tools?

We are a first and foremost a consulting company. We only engage in software development when we determine that existing tools and techniques are failing to expose valuable information in our cases. The following slides represent some of the workflows (processing Windows hibernation files and then attempting to extract Registry hives from them) using a variety of tools that we tested during the development of HiveRecon. In many ways these slides speak for themselves:

 

At this point, if you are a digital forensics practitioner, you should be asking yourself just how much Registry data you could have had access to in your previous cases if you were properly extracting hives from hibernation and crash dump files.

Where can you get HiveRecon and HbinRecon?

We are in the process of making both tools available to established customers with active software subscriptions. HiveRecon and HbinRecon will be available soon to new customers as well.

 


 

Please support us, as we work to make maximum exploitation of electronic evidence more accessible, by learning more about the powerful and unique functionality our tools provide. You can learn more about our tools at https://ArsenalRecon.com/#products. Thank you!

0 Comments

Submit a Comment

Related Articles

New Versions of HiveRecon and HbinRecon Launched

New Versions of HiveRecon and HbinRecon Launched

HiveRecon extracts Registry hives from Windows hibernation and crash dump files, often extracting hives when other solutions have completely failed and extracting healthier (more intact) hives when other solutions have appeared to run successfully. HiveRecon also extracts volatile hives and can incorporate swap files from the same hibernation session to extract even healthier Registry hives than if using a hibernation file alone.

Free Arsenal Subscriptions for Colleges and Universities

Free Arsenal Subscriptions for Colleges and Universities

Years ago when I was an adjunct professor teaching digital forensics at Bunker Hill Community College in Boston I very much appreciated both the free and discounted licenses provided by commercial software vendors. I am now working on having Arsenal formalize and publicize our practice of providing free software (beyond the “Free Mode” functionality offered in some of our tools) each semester to digital forensics programs at colleges and universities.

Sponsoring Arsenal Image Mounter

Sponsoring Arsenal Image Mounter

Colleagues in digital forensics, please ask yourselves – do you find Arsenal Image Mounter (“AIM”) useful? Could your consulting, training, or software/hardware organization use great karma and a boost in public relations?

Stay Up to Date With The Latest News & Updates

Join Our Newsletter

Signup for the latest news on Registry, Hibernation Files, and other Digital Investigations related news.

Follow Us

22 Willow Street Chelsea, MA 02150

sales@ArsenalRecon.com

(617) ARSENAL

or (617) 277-3625

Site Map

\

Home

\

Products

\

Downloads

\

Pricing

\

Training

\

Testimonials

\

Insights

\

Contact

\

FAQ

Legal

\

Privacy Policy

\

Terms & Conditions

\

Cookie Policy

Follow Us

LinkedIn

Twitter

Facebook

Share This