Dig harder, find more!
HBIN Recon identifies and parses Windows Registry hive bins (hbins) from any input. Hive bins are essentially the building blocks of Registry hives. Examples of HBIN Recon input include healthy Registry hives, fragmented hives, hive transaction logs, Transactional Registry (TxR) files, compressed hive bins which can be found in swap files and elsewhere, hibernation slack (first processed by Hibernation Recon), file slack, and unallocated space. HBIN Recon is a surgical tool which is useful not only with testing and verification related to Registry data, but in uncovering valuable data not accessible using other methods - for example, HBIN Recon runs various “Hunter” modules during processing which extract/decode/decrypt BAM, SECURITY secrets and cache entries, Syscache, and UserAssist information within individual hive bins.
Parsing hive bins carved from BloomCON 2021 CTF unallocated space
Parsing hive bins carved from Owl unallocated space
Sample Secrets Hunter output after parsing hive bins carved from Owl unallocated space
Carving hive bins from Owl hibernation slack
Parsing hive bins carved from Owl hibernation slack
Output files after parsing carved hive bins from Owl hibernation slack
Parsing hive bins from Owl hive transaction log
Carving hive bins from Owl swap file
Parsing hive bins within Owl TxR file
Parsing hive bins within NTUSER.DAT from Ali Hadi's challenge
UserAssist Hunter output after parsing hive bins within NTUSER.DAT from Ali Hadi's challenge
Parsing hive bins within SYSTEM hive from Champlain DFA CTF
BAM Hunter output after parsing hive bins within SYSTEM hive from Champlain DFA CTF
Hive Recon extracts Registry hives from Windows hibernation and crash dump files, often extracting hives when other solutions have completely failed and extracting healthier (more intact) hives when other solutions have appeared to run successfully. Hive Recon can also extract hives from memory captures, provided they have already been converted to crash dump format. Hive Recon supports the extraction of volatile (in addition to stable) hives and incorporation of swap files from the same hibernation or crash dump session to extract even healthier Registry hives.
Extracting Registry hives from Owl hibernation
Output files after extracting Registry hives from Owl hibernation
Extracting Registry hives from Owl crash dump
Extracting Registry hives from Windows 10 v1909 hibernation
Extracting Registry hives from Windows 10 v1909 crash dump
Extracting Registry hives from SANS nfury hibernation
Extracting Registry hives from SANS nfury crash dump
ODC Recon extracts documents and metadata from the Office Document Cache (ODC) by parsing the FSD files contained within each ODC. Individual FSD files often contain not only multiple versions of Office documents, but Office documents which are no longer available elsewhere. ODC Recon was built when Arsenal found no reliable methods to parse FSD files, which have been very valuable to our casework.
Extracting ten document versions from a single FSD file
Output files after extracting ten document versions from a single FSD file
Comparing two document versions of ten extracted from a single FSD file
Extracting 58 documents and 200 document versions from 65 FSD files
Backstage Parser is a Python tool that can be used to parse the contents of Microsoft Office files found in the “\BackstageinAppNavCache” path.
CyberGate Keylogger Decryption Tool is a Python tool that can be used against CyberGate encrypted keylogger files to decode the cipher text and return the original plaintext that was captured by the Remote Access Trojan (RAT).
Gmail URL Decoder is a Python tool that can be used against plaintext or arbitrary raw data files in order to find, extract, and decode information from Gmail URLs related to both the new and legacy Gmail interfaces.
NetWire Log Decoder is an AutoIt tool that carves and parses (a/k/a scans, filters, and decodes) NetWire log data from files or devices. NetWire versions 1.6 and 1.7, on Windows and Linux, have been tested.
Each of our subscription options includes access to all the Arsenal tools, both those that exist now and those we release while the subscription is active! Pick the subscription that works for you without the hassle of maintenance fees.
Arm yourself with updates about Arsenal tools, training, and research. Our mailing list is double opt-in so you will need to check your email and confirm your subscription before receiving our mailings.