New Versions of HiveRecon and HbinRecon Launched

October 10th, 2018 Posted by Uncategorized 0 thoughts on “New Versions of HiveRecon and HbinRecon Launched”

What does HiveRecon do?

HiveRecon extracts Registry hives from Windows hibernation and crash dump files, often extracting hives when other solutions have completely failed and extracting healthier (more intact) hives when other solutions have appeared to run successfully. HiveRecon also extracts volatile hives and can incorporate swap files from the same hibernation session to extract even healthier Registry hives than if using a hibernation file alone.

What’s new in HiveRecon v1.0.0.48 Alpha?

HiveRecon v1.0.0.48 Alpha has improved Registry hive extraction from hibernation and crash dump files, particularly those from Windows 10 Build 17134 onward. Support for decompression of compressed hive bins and performance improvements have been added as well.

Can you provide more details on HiveRecon’s functionality?

HiveRecon’s readme provides details about its functionality and we are happy to explain further!

Please read "Arsenal Recon - End User License Agreement.txt" carefully before using this software.

HiveRecon extracts Registry hives from Windows hibernation and crash dump files, often extracting hives when other solutions have completely failed and extracting healthier (more intact) hives when other solutions have appeared to run successfully. HiveRecon also extracts volatile hives and can incorporate swap files from the same hibernation session to extract even healthier Registry hives than if using a hibernation file alone.

HiveRecon functionality will be incorporated into both Hibernation Recon and Registry Recon in the future. We are releasing HiveRecon as a stand-alone CLI-based tool now in order to get extremely powerful and unique functionality (used by Arsenal internally) in the hands of our customers more quickly. Please note that our primary goals with our CLI-based tools include accuracy and reliability, with performance being a secondary concern. In other words, in some circumstances you may want to go get a coffee (or go to sleep, coming back to your office refreshed for digital forensics!) while HiveRecon is running.

Arsenal recommends running HiveRecon in an elevated console so that output is sent to the current, rather than a background, console.

Registry Hive Extraction from Hibernation Files:

HiveRecon requires reconstructed active memory from the hiberfil.sys (we strongly recommend performing reconstruction with Hibernation Recon) in addition to the hiberfil.sys itself as input. Merging a swap file from the same Windows session as the hibernation, in order to improve the health of the extracted hives, is also supported. Accordingly, the input file options are:

ActiveMemory.bin + hiberfil.sys
ActiveMemory.bin + hiberfil.sys + pagefile.sys

Registry Hive Extraction from Crash Dumps:

HiveRecon requires only a crash dump itself as input. Crash dumps can be any type except minidumps.

Currently supported operating systems:

Win7x64
Win8x64
Win81x64
Win10x64
Win10x64_17134

Important Notes: Windows 10 x64 Build 17134 introduced significant changes which include Registry hives being held in the memory of a separate process instead of the kernel address space. These changes created new challenges when extracting Registry hives from hibernation and crash dump files. As a temporary workaround for Windows 10 x64 Build 17134 and later, use the "/UseWinDbg:1" option which will resolve the Registry process's cr3 and VadRoot values and facilitate Registry hive extraction. This option requires a crash dump as input, so hibernation files (more specifically, the reconstructed memory from hibernation files a/k/a Hibernation Recon's ActiveMemory.bin) must first be converted to crash dump format. This option also requires the installation of WinDbg (see "Installing WinDbg" below) and the availability of Windows kernel symbols either online or locally. It is easiest to have Internet access while running HiveRecon and allowing WinDbg's kd.exe to download the correct symbols. If Internet access is not available on the HiveRecon workstation, symbols can be downloaded on another workstation and copied into a "symbols" folder in the HiveRecon program folder - see "Symbol Access on Offline/Air-Gapped Workstations" below.

HiveRecon incorporates inactive but still recoverable memory pages in order to extract the healthiest hives possible.

Syntax:

HiveRecon(64/32).exe /RawMem: /HiberFil: /PageFile: /CrashDump: /WinVersion: /Volatile: /FixChecksum: /UseWindbg: /WinDbgPath: /Decompress:

Volatile hives can be extracted by using the /Volatile:1 parameter.

The /WinVersion parameter is only strictly needed when using /RawMem (ActiveMemory.bin) and /HiberFil (hiberfil.sys) with Win7x64 or Win10x64_17134 (or later). This parameter can otherwise be used to override OS auto detection.

Examples:

#extract stable hives from reconstructed active memory
HiveRecon(64/32).exe /RawMem:c:\tmp\ActiveMemory.bin /HiberFil:c:\tmp\hiberfil.sys

#extract stable hives from reconstructed active memory with swap file from same Windows session
HiveRecon(64/32).exe /RawMem:c:\tmp\ActiveMemory.bin /HiberFil:c:\tmp\hiberfil.sys /PageFile:c:\tmp\pagefile.sys

#extract stable hives from reconstructed active memory from Windows 7 x64
HiveRecon(64/32).exe /RawMem:c:\tmp\ActiveMemory.bin /HiberFil:c:\tmp\hiberfil.sys /WinVersion:Win7x64

#extract stable hives from crash dump
HiveRecon(64/32).exe /CrashDump:c:\tmp\MEMORY.DMP

#extract stable and volatile hives from crash dump and patch hive header checksums if necessary
HiveRecon(64/32).exe /CrashDump:c:\tmp\MEMORY.DMP /Volatile:1 /FixChecksum:1

#extract stable hives from Windows 10 x64 Build 17134 or later crash dump using "WinDbg method"
HiveRecon(64/32).exe /CrashDump:c:\tmp\MEMORY.DMP /UseWindbg:1

#scan for compressed hive bins and decompress them
HiveRecon(64/32).exe /Decompress:c:\tmp\ActiveMemory.bin

Each time HiveRecon is run successfully, a subdirectory will be created in which the following files are created:

debug.log - Verbose output log with a summary.
Hives.csv - A listing of the identified hives.
Stable__XXX.hive - Exported hive with regf header and hbins related to it, as resolved through StableMap.
Stable__XXX.csv - Details about each entry (hbin) associated with a given hive from StableMap.
Volatile__XXX.hive - Exported hive with regf header and hbins related to it, as resolved through VolatileMap. Usually empty, and not a normal hive as such.
Volatile__XXX.csv - Details about each entry (hbin) associated with a given hive from VolatileMap.

Installing WinDbg
WinDbg can be installed standalone by using the Windows SDK. See https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger. HiveRecon assumes by default that the WinDbg installation path is;
For 32-bit workstations;
C:\Program Files\Windows Kits\10\Debuggers\x86\kd.exe
For 64-bit workstations;
C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\kd.exe

Alternatively, the option "/WinDbgPath:" can be used to specify a custom location for the WinDbg installation.

Symbol Access on Offline/Air-Gapped Workstations
If the HiveRecon workstation does not have Internet access, symbols can be downloaded and copied from another workstation with Internet access. You will need to copy the crash dump (whether originally a crash dump or converted from hibernation) to a removable storage device, attach it to another workstation, and run a command like this;

"C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\kd.exe" -y srv*E:\symbols*https://msdl.microsoft.com/download/symbols -z E:\Files\memory.dmp -c "q"

The above command will open the crash dump in kd.exe and download the required symbols into E:\symbols. You can then attach the removable storage device to the HiveRecon workstation and copy the symbols into the HiveRecon program folder. (You can also download the symbols using another crash dump file of the same Windows version if you prefer.) Alternatively you can download the specific symbol file for the kernel in question using this command;

"C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\symchk.exe" /v E:\temp\ntoskrnl.exe /s srv*E:\symbols*http://msdl.microsoft.com/download/symbols 

The above command requires the "ntoskrnl.exe" file from the Windows build in question to be found in E:\temp.

More information about Arsenal Recon tools and training can be found at https://ArsenalRecon.com.

Copyright (C) 2012-2018 Arsenal Consulting, Inc. All rights reserved.

What does HbinRecon do?

HbinRecon identifies and parses Windows Registry hive bins (hbins) from any input. Hive bins are essentially the building blocks of Registry hives. Examples of HbinRecon input include healthy Registry hives, fragmented hives, hive transaction logs, and unallocated space. HbinRecon is a surgical tool which is extremely useful in both testing and verification related to Registry data as well as uncovering valuable data not accessible using other methods.

What’s new in HbinRecon v1.0.0.35 Alpha?

HbinRecon v1.0.0.35 Alpha has added key path reconstruction (Mode 0 only), UserAssist hive bin hunting, a hive bin counter, and performance improvements.

Can you provide more details on HbinRecon’s functionality?

HbinRecon’s readme provides details about its functionality and we are happy to explain further!

Please read "Arsenal Recon - End User License Agreement.txt" carefully before using this software.

HbinRecon identifies and parses Windows Registry hive bins (hbins) from any input. Hive bins are essentially the building blocks of Registry hives. Examples of HbinRecon input include healthy Registry hives, fragmented hives, hive transaction logs, and unallocated space. HbinRecon is a surgical tool which is extremely useful in both testing and verification related to Registry data as well as uncovering valuable data not accessible using other methods.

HbinRecon functionality will be incorporated into Registry Recon in the future. We are releasing HbinRecon as a stand-alone CLI-based tool now in order to get extremely powerful and unique functionality (used by Arsenal internally) in the hands of our customers more quickly. Please note that our primary goals with our CLI-based tools include accuracy and reliability, with performance being a secondary concern. In other words, in some circumstances you may want to go get a coffee (or go to sleep, coming back to your office refreshed for digital forensics!) while HbinRecon is running.

Arsenal recommends running HbinRecon in an elevated console so that output is sent to the current, rather than a background, console.

HbinRecon includes five fundamental modes of operation: 

Mode 0
Requires a healthy (intact) hive as input. A healthy hive includes a "regf" header and all its subsequent hive bins. Supports nk path resolution.

Mode 1
This is a scanning mode which can be used on any input. Input needs to be 8 byte aligned because records are 8 byte aligned anyway and to speed up parsing. Arsenal recommends carving hive bins with Mode 4 (and then parsing with Mode 2) if input is extremely large.

Mode 2
Similar to Mode 0, with the "regf" header requirement removed. This mode works best when you have a sequence of stacked hive bins produced by (for example) carving.

Mode 3
An experimental mode for transaction logs. Supports new version logs from Windows 8 and Windows 10 (we will soon support old logs from Windows 7).

Mode 4
Carving mode for carving hive bins out of any input. (For extremely large input, Arsenal recommends first carving hive bins with this mode and then parsing the carved hive bins with Mode 2.)

The records decoded are:

nk
vk
sk
lf
lh
li
ri
db
non-resident vk data

No vk values are interpreted after decoding and are simply displayed in binary as is, with the exception of string-based value types which are displayed as strings. All sk records are decoded in full.

Note, if nk path is prefixed with \?\ then the path (currently supported for Mode 0) could not be resolved.

Optional Syntax:

BuffSize
Can be used with Mode 1 to minimize corruption from false positives detected as non-resident data with large sizes. Defaults to /BuffSize:128 (all non-resident data above 128 bytes in size is skipped).

Separator
Customize a csv column separator. The default separator "|" may be a problem if, for example, the pipe character is in a vk name. You could use "||" though, or anything else that suits you better.

Verbose
Set the level of log verbosity. The default level is 0 which only log basic information. Level 1 will include dumping of non-resident data values to the log. Level 2 will also include much of the otherwise printed csv information.

CsvAll
Configure extra csv logging for debugging. Default is 0. If set to 1 then additional csv outputs are generated for sk basic and list records.

Examples:

#parse a healthy hive and skip dumping of non-resident data values.
HbinRecon(64/32).exe /RegFile:c:\tmp\SYSTEM /Mode:0

#parse the output of HiveRecon.
HbinRecon(64/32).exe /RegFile:c:\tmp\SYSTEM.hive /Mode:0

#parse a healthy hive and include dumping of non-resident data values.
HbinRecon(64/32).exe /RegFile:c:\tmp\SYSTEM /Mode:0 /Verbose:1

#scan an arbitrary binary chunk of data.
HbinRecon(64/32).exe /RegFile:c:\tmp\unknown.bin /Mode:1 /BuffSize:100

#scan a transaction log with mode 3 and dump all unresolved non-resident data into the log.
HbinRecon(64/32).exe /RegFile:c:\tmp\SYSTEM.LOG1 /Mode:3 /Verbose:1 /Separator:'||'

#carve hive bins out of unallocated space.
HbinRecon(64/32).exe /RegFile:c:\tmp\unallocated.bin /Mode:4

#scan a file containing carved hive bins and include debug level information into extra csv files.
HbinRecon(64/32).exe /RegFile:c:\tmp\hbin_carved.hbin /Mode:2 /BuffSize:4096 /CsvAll:1

Each time HbinRecon is run successfully (except Mode 4), the following files are created:

HbinRecon_XXX.csv - Decoded data from hive bins.
HbinRecon_XXX_BAM-Hunter.csv - Decode of all BAM entries.
HbinRecon_XXX_UserAssist-Hunter.csv - Decode of all UserAssist entries.
HbinRecon_XXX_nk.csv - Decode of all nk type records.
HbinRecon_XXX_vk.csv - Decode of all vk type records.
HbinRecon_XXX_sk_decode.csv - Decode of all sk type records.
HbinRecon_XXX.log - Log with summary.

More information about Arsenal Recon tools and training can be found at https://ArsenalRecon.com.

Copyright (C) 2012-2018 Arsenal Consulting, Inc. All rights reserved.

Where can you get HiveRecon and HbinRecon?

If you are interested in the latest versions of HiveRecon and HbinRecon, and have an existing Recon software subscription, contact us at info@ArsenalRecon.com.

 


 

Please support us, as we work to make maximum exploitation of electronic evidence more accessible, by learning more about the powerful and unique functionality our tools provide. You can learn more about our tools at https://ArsenalRecon.com/#products. Thank you!

Tags: