Arsenal's Surgical Tools

HBIN Recon identifies and parses Windows Registry hive bins (hbins) from any input. Hive bins are essentially the building blocks of Registry hives. Examples of HBIN Recon input include healthy Registry hives, fragmented hives, hive transaction logs, Transactional Registry (TxR) files, compressed hive bins which can be found in swap files and elsewhere, hibernation slack (first processed by Hibernation Recon), file slack, and unallocated space. HBIN Recon is a surgical tool which is useful not only with testing and verification related to Registry data, but in uncovering valuable data not accessible using other methods - for example, HBIN Recon runs various “Hunter” modules during processing which extract/decode/decrypt BAM, SECURITY secrets and cache entries, Syscache, and UserAssist information within individual hive bins.

Hive Recon extracts Registry hives from Windows hibernation and crash dump files, often extracting hives when other solutions have completely failed and extracting healthier (more intact) hives when other solutions have appeared to run successfully. Hive Recon can also extract hives from memory captures, provided they have already been converted to crash dump format. Hive Recon supports the extraction of volatile (in addition to stable) hives and incorporation of swap files from the same hibernation or crash dump session to extract even healthier Registry hives.

ODC Recon extracts documents and metadata from the Office Document Cache (ODC) by parsing the FSD files contained within each ODC. Individual FSD files often contain not only multiple versions of Office documents, but Office documents which are no longer available elsewhere. ODC Recon was built when Arsenal found no reliable methods to parse FSD files, which have been very valuable to our casework.

LevelDB Recon parses LevelDB files (ldb, log, and sst extensions) more comprehensively and reliably than other tools we have evaluated. In other words, LevelDB Recon has been designed for maximum exploitation of LevelDB files - ultimately revealing records missed by other methods. LevelDB Recon includes logic to help make sense of the chaos often found within LevelDB data - for example, logic that attempts to locate and decode (in a human-friendly manner) many different types of timestamps.