The Registry is a complex ecosystem, in database form, containing information related to hardware, software, and users on computer systems running Microsoft Windows. At a very basic level, the Registry is composed of “keys” and “values” which are similar in some ways to folders and files. Analysis of this information reveals the names of recently accessed files, when applications were last run, who attached removable storage devices, and much more. The Registry is continually referenced during Windows operation so large volumes of Registry data can always be found both on disk and in live memory.
Recon Registries are all the Registries rebuilt by Registry Recon. Recon View is our method of showing you all the values within them in a unique and historical fashion, with seamless access to all instances of those values if you so desire.
If a full set of hives (particularly System and Software) are available for any particular Registry, its Recon Registries name will include the system name, Windows version, and install date. If a System hive is available, but a Software hive is not, the name will include the system name and Machine Security ID (“MSID”). If a Software hive is available, but a System hive is not, the name will include the Windows version and install date. If both System and Software hives are missing, the name will simply include an MSID.
It’s important to keep in mind that in the context of computer forensics, “deleted” and “overwritten” are two very different things. Registry Recon is often very successful rebuilding Registries which have been deleted and only exist in unallocated (deleted) space. Registry Recon cannot however rebuild Registries if they have been overwritten – for example, if a data scrubbing tool has been used to overwrite unallocated space.
You can get the latest version of Registry Recon from our Downloads page.
You only need an Internet connection for Registry Recon when you initially enter your license code and when you renew your license. If you cannot connect to the Internet, see the air-gapped workstation instructions below.
If you want your air-gapped workstation properly licensed for Registry Recon, please:
Your air-gapped workstation is now ready to run Registry Recon!
Registry Recon supports adding forensic images in EnCase (E01) and raw (dd) formats, VHD disk images, physically mounted slave drives, and the contents of directories as evidence.
Certain computer forensics applications can interfere with physical drives being added as evidence to Registry Recon, so Arsenal recommends refraining from their use while Adding Evidence.
We are working on a large number of updates which include support for live memory captures, greatly improving searching, bookmarking, and reporting functionality, and performance tuning.
Hibernation Recon requires Microsoft Windows 8 or later.
Running Hibernation Recon from the Windows console is quite simple (you can see all switches by simply running “HibRec”):
Legacy hibernation format, used by Windows XP, Vista, and 7, applies XPRESS compression to hibernation data. Modern hibernation format, used by Windows 8/8.1 and 10, applies XPRESS compression with Huffman encoding to hibernation data.
|ActiveMemory.bin||Active memory decompressed & reconstructed|
|DecompressedSlackLegacy.bin||All levels of slack (Legacy format) decompressed & placed in one output file|
|DecompressedSlackModern.bin||All levels of slack (Modern format) decompressed & placed in in one output file|
|Slack (Legacy format) decompressed & placed in multiple output files by slack level|
|Slack (Modern format) decompressed & placed in multiple output files by slack level|
|RawSlackLegacy.bin||Raw slack (Legacy format) from all slack levels placed in one output file|
|RawSlackModern.bin||Raw slack (Modern format) from all slack levels placed in one output file|
|RawSlackChunks/RawSlackChunk_(Decimal Offset)_(Hex_Offset).bin||Raw slack placed in multiple output files by chunk|
|NonZeroAfterValidSlack.bin||Non-zero data after all valid levels of slack|
|AllSlack.bin||All levels of slack (Modern & Legacy formats) decompressed, raw, and non-zero in one output file|
|Indx_I30_Entries.csv||Indexed folder content (a/k/a $I30 data) from active and slack space of NTFS INDX records|
|Indx_ObjIdO_Entries.csv||Indexes of linked files (a/k/a $O data) from active and slack space of NTFS INDX records|
|HibRec.log||Hibernation Recon log file|
You can load decompressed and reconstructed memory (ActiveMemory.bin) into your memory forensics toolkits and run your other tools against all the output from Hibernation Recon to extract many kinds of artifacts. We will begin adding artifact recovery to the next major version of Hibernation Recon.
You only need an Internet connection for Hibernation Recon when you initially enter your license code and when you renew your license. If you cannot connect to the Internet, see the air-gapped workstation instructions below.
If you want your air-gapped workstation properly licensed for Hibernation Recon, please:
Your air-gapped workstation is now ready to run Hibernation Recon!
Hibernation Recon does not currently support the processing of BitLocker, TPM-impacted, or empty (yes, we had to say that!) hibernation files. If you find that Hibernation Recon has not processed your hibernation file, please determine whether BitLocker and/or TPM is in play and whether the file contains any significant volume of non-zero data. If you are still unsure why Hibernation Recon has not processed a particular hibernation file, please contact support and we will assist you.
Windows hibernation files are essentially zeroed out when the ClearPageFileAtShutdown Registry setting is enabled or after Windows 8/8.1 and 10 resume on SSDs.
Windows 8/8.1 and Windows 10 normally have “Fast Boot” or “Fast Startup” functionality (hereafter “Fast Boot”) enabled by default. Windows shutdowns on a Fast Boot enabled system will write kernel memory (filesystem drivers, other drivers, Registry data, etc.), all system services that normally run in background, and other user mode processes that do not belong to any specific user session to the hibernation file. Although all user sessions are logged out before this writing to the hibernation file occurs, much more than kernel memory is taken into account. Of course, a “normal” or “complete” hibernation when a user is logged into Windows will result in much more data being written to the hibernation file.
Hibernation Recon currently supports the extraction and human-friendly decoding of NTFS INDX data. More specifically, we are targeting INDX records containing indexed folder content (a/k/a $I30 data normally found in $I30 metafiles) and indexes of linked files (a/k/a $O data, normally found in $O metafiles, which contains Object IDs or Object Identifiers). Of course, in true Arsenal fashion, we do not only exploit the active space within recovered INDX records but their slack space as well.
NTFS supports the use of “object identifiers” (also known as OBJECT_ID attributes or Object IDs), which improves the ability of the Microsoft Windows operating system to track files in situations that can include renaming and moving (but not copying) those files. Object identifiers can be appended to a file’s $MFT record when a file is moved, created, or first opened. Object identifiers do not “travel” with files to removable storage devices, but object identifiers can be created on removable storage devices when files are first moved to, created on, or first opened there. It should be noted that whether Object IDs are first appended to a file’s $MFT record when the file is created or first opened can be dependent upon the application that created or first opened it. You can learn more about how to apply Object IDs in your analysis by reading Harry Parsonage’s The Meaning of LIFE document.
All subscription users are eligible for software updates for the duration of their subscription. Legacy license holders are eligible for updates for the duration of their SMS. We continue to work on more aggressive NTFS metadata recovery, hibernation carving and other features!
Many disk image mounting solutions mount the contents of images in Windows as shares or partitions (rather than complete disks), which limits their usefulness. Arsenal Image Mounter is the first and only open source solution for mounting the contents of disk images as complete disks in Windows. We have also developed functionality (see “Interesting Functionality” above) that is particularly useful to the digital forensics and incident response community.
Supported Operating Systems
Supported File Systems
Supported Image Formats
Arsenal Image Mounter passes the contents of disk images to Windows as if they were complete disks. Once Arsenal Image Mounter has passed the contents of disk images to Windows, the file system drivers you currently have installed take over. Arsenal Image Mounter does not do anything magic after passing the contents of disk images off to Windows. If you want to access protected files and folders after mounting the contents of disk images with Arsenal Image Mounter, you will need to use other tools designed to do so.
Yes – Arsenal Image Mounter CLI is a .NET 4.0 tool that provides most of Arsenal Image Mounter’s functionality. The command “AIM_CLI /?” displays basic syntax for using Arsenal Image Mounter CLI. We have also released Arsenal Image Mounter Low Level which does not use .NET and provides more “low level” access to the Arsenal Image Mounter driver. The command “AIM_LL /?” displays basic syntax for using Arsenal Image Mounter Low Level. You can find Arsenal Image Mounter CLI and Low Level on our GitHub page here.
If Arsenal Image Mounter has become a valuable part of your toolkit, please tell us about how you use it and any suggestions you may have. If your organization uses Arsenal Image Mounter in commercial ventures (consulting, training, etc.) we would greatly appreciate financial support which helps us offset the cost of development. If you or your organization have used Arsenal Image Mounter source code and/or APIs, please make sure you are complying with our licensing requirements.
This function essentially emulates the attachment of a USB thumb drive. We have heard that it facilitates the mounting of images containing partitions rather than disks, even though Arsenal Image Mounter was designed to mount disks specifically. Characteristics (and limitations) of using this function include:
• Windows will only identify and use the first partition on the image, even if the image contains more than one partition
• SAN policies such as requiring new devices to be mounted offline do not apply
• Drive letters are always assigned even if automatic drive letter assignment is turned off
• Windows identifies and uses file systems even for single-volume images that have no partition table
• Inability to interact with Volume Shadow Copies natively
Arsenal Image Mounter is distributed with x64 libewf DLLs that allow the vast majority of our users to mount EnCase images. If you need x86 or experimental (with EnCase Ex01 support) libewf DLLs, you can get them from our GitHub page here. The libewf DLLs should be placed in the same folder as the Arsenal Image Mounter executable.
You only need an Internet connection for Arsenal Image Mounter when you initially enter your license code and when you renew your license. If you cannot connect to the Internet, see the air-gapped workstation instructions below.
If you want your air-gapped workstation properly licensed for Arsenal Image Mounter, please:
Your air-gapped workstation is now ready to run Arsenal Image Mounter!
See Adam Bridge’s excellent blog post on modifying an NTFS volume’s Volume Boot Record (VBR) using Arsenal Image Mounter’s “Write temporary” mode here.
Yes – Arsenal Image Mounter provides both .NET and non-.NET APIs. You can find these APIs on our GitHub page here.
Arsenal Image Mounter’s Storport miniport driver is written in C and its user mode API library is written in VB.NET, which facilitates easy integration with .NET 4.0 applications.
Arsenal Image Mounter source code can be found on GitHub
We chose a dual-license for Arsenal Image Mounter (more specifically, Arsenal Image Mounter’s source code and APIs) to allow its royalty-free use by open source projects, but require financial support from commercial projects.
Arsenal Consulting, Inc. (d/b/a Arsenal Recon) retains the copyright to Arsenal Image Mounter, including the Arsenal Image Mounter source code and APIs, being made available under terms of the Affero General Public License v3. Arsenal Image Mounter source code and APIs may be used in projects that are licensed so as to be compatible with AGPL v3. If your project is not licensed under an AGPL v3 compatible license and you would like to use Arsenal Image Mounter source code and/or APIs, contact us to obtain alternative licensing.
Contributors to Arsenal Image Mounter must sign the Arsenal Contributor Agreement (“ACA”). The ACA gives Arsenal and the contributor joint copyright interests in the source code.