Arsenal's Surgical Tools

Dig harder, find more!

Additional Tools Included with an Arsenal Subscription

HBIN Recon HBIN Recon

HBIN Recon identifies and parses Windows Registry hive bins (hbins) from any input. Hive bins are essentially the building blocks of Registry hives. Examples of HBIN Recon input include healthy Registry hives, fragmented hives, hive transaction logs, Transactional Registry (TxR) files, compressed hive bins which can be found in swap files and elsewhere, hibernation slack (first processed by Hibernation Recon), file slack, and unallocated space. HBIN Recon is a surgical tool which is useful not only with testing and verification related to Registry data, but in uncovering valuable data not accessible using other methods - for example, HBIN Recon runs various “Hunter” modules during processing which extract/decode/decrypt BAM, SECURITY secrets and cache entries, Syscache, and UserAssist information within individual hive bins.

Hive Recon Hive Recon

Hive Recon extracts Registry hives from Windows hibernation and crash dump files, often extracting hives when other solutions have completely failed and extracting healthier (more intact) hives when other solutions have appeared to run successfully. Hive Recon can also extract hives from memory captures, provided they have already been converted to crash dump format. Hive Recon supports the extraction of volatile (in addition to stable) hives and incorporation of swap files from the same hibernation or crash dump session to extract even healthier Registry hives.

ODC Recon ODC Recon

ODC Recon extracts documents and metadata from the Office Document Cache (ODC) by parsing the FSD files contained within each ODC. Individual FSD files often contain not only multiple versions of Office documents, but Office documents which are no longer available elsewhere. ODC Recon was built when Arsenal found no reliable methods to parse FSD files, which have been very valuable to our casework.

LevelDB Recon LevelDB Recon

LevelDB Recon parses LevelDB files (ldb, log, and sst extensions) more comprehensively and reliably than other tools we have evaluated. In other words, LevelDB Recon has been designed for maximum exploitation of LevelDB files - ultimately revealing records missed by other methods. LevelDB Recon includes logic to help make sense of the chaos often found within LevelDB data - for example, logic that attempts to locate and decode (in a human-friendly manner) many different types of timestamps.

Arsenal’s Open Source Digital Forensics Tools

Backstage Parser is a Python tool that can be used to parse the contents of Microsoft Office files found in the “\BackstageinAppNavCache” path.


CyberGate Keylogger Decryption Tool is a Python tool that can be used against CyberGate encrypted keylogger files to decode the cipher text and return the original plaintext that was captured by the Remote Access Trojan (RAT).


Gmail URL Decoder is a Python tool that can be used against plaintext or arbitrary raw data files in order to find, extract, and decode information from Gmail URLs related to both the new and legacy Gmail interfaces.


NetWire Log Decoder is an AutoIt tool that carves and parses (a/k/a scans, filters, and decodes) NetWire log data from files or devices. NetWire versions 1.6 and 1.7, on Windows and Linux, have been tested.


Sdba Parser is an AutoIt tool that carves and parses Sdba memory pool tags (produced by Windows 7) from any input file. Sdba memory pool tags contain executable file paths and NTFS last written timestamps (at time of execution).


NwStacks is an AutoIt tool that assists with NetWire stack analysis. This tool (and other information on its GitHub project) is associated with the article "Forensic Analysis of the NetWire Stack" in Digital Forensics Magazine Issue 52.


Pricing & Plans

Each of our subscription options includes access to all the Arsenal tools, both those that exist now and those we release while the subscription is active! Pick the subscription that works for you without the hassle of maintenance fees.

1 Year Plan
~ $63/mo | Save 3%
    • Email Support

    • Renew Annually

    • Locked-in Discount

3 Year Plan


~ $59/mo | Save 9%

5 Year Plan


~ $55/mo | Save 15%

Prices shown in USD and without tax.

Join the List

Arm yourself with updates about Arsenal tools, training, and research. Our mailing list is double opt-in so you will need to check your email and confirm your subscription before receiving our mailings.