Product Showcase Homepage

Products

Registry Recon

Registry Recon is not just another Registry parser. We developed powerful new methods to parse Registry data so that Registries which have existed on a Windows® system over time can be rebuilt, providing unique insight into how Registry data has changed over time. Registry Recon provides access to an enormous volume of Registry data which has been effectively deleted, whether that deletion occurred due to benign system activity, malfeasance by a user, or even re-imaging by IT personnel.

Hibernation Recon

Hibernation Recon not only supports active memory reconstruction from Windows XP, Vista, 7, 8/8.1, and 10 hibernation files, but also extracts massive volumes of information from the multiple types (and levels) of slack space that often exist within them. Additional features of Hibernation Recon include the automatic recovery of valuable NTFS metadata and parallel processing of multiple hibernation files.

Arsenal Image Mounter

Arsenal Image Mounter mounts the contents of disk images as complete disks in Windows. Arsenal Image Mounter includes a virtual SCSI adapter (via a unique Storport miniport driver) which allows users to benefit from disk-specific features in Windows like integration with Disk Manager, access to Volume Shadow Copies, and more. As far as Windows is concerned, the contents of disk images mounted by Arsenal Image Mounter are “real” SCSI disks.

Registry Recon

One-Click Harvesting

Efficient collection of active, backed-up, and even deleted Windows Registry hives from forensic images

Registry Reconstruction

Automatic rebuilding of not only the active Registry, but Registries from previous Windows installations

Recon View

Harness the power of huge volumes of Registry information to see how Registries changed over time

Hibernation Recon

Active Memory

Reconstruction of active memory from Windows XP, Vista, 7, 8/8.1, and 10 hibernation files

Hibernation Slack

Only tool that properly supports extraction of multiple types and levels of hibernation slack

NTFS Metadata

Automatic recovery of valuable NTFS metadata

Arsenal Image Mounter

Complete Mounting

Mount contents of disk images and virtual machines as complete or “real” disks on Windows

Forensic Features

Temporary write support, “fake” disk signatures, CLI version, and more

Volume Shadow Copies

Quickly mount all Volume Shadow Copies (VSCs) within a disk image

What people are saying about Arsenal Recon

  • Hibernation Recon allowed us to determine that remnants of a Skype chat involving child pornography existed in hiberfil.sys slack space (related to a previous hibernation) and to correct the date and time related to those remnants provided by another tool. Within the recovered chat the sender discussed not only possessing illegal material, but having over 70GB more to send, which was important to obtaining a search warrant.”

    — Torben Strand, Special Consultant, MSc, Danish National Police Cyber Crime Center (NC3)

    Torben Strand
  • Registry Recon helps cut through tedious work and recovers valuable information that is not available without burning enormous amounts of time.”

    — Dennis O’Connor, Senior Investigator, U.S. Department of Labor

    Dennis O’Connor
  • Registry Recon is a game changer. It allows an analyst to retrieve and work with valuable Registry data that would otherwise be lost or extremely difficult to recover.”

    — Sean Cavanaugh, Forensic Analyst

    Sean Cavanaugh
  • “Typically my experiences with new digital forensic tools don’t turn out well. Registry Recon is the exception to this rule. I was quickly able to determine that a system I was analyzing had been compromised a full 6 months earlier than anyone realized, based on information Registry Recon recovered from unallocated space. It’s safe to say that Registry Recon has become part of my analysis toolkit.”

    — Bill Spernow, Chief Forensic Advisor, Law & Forensics, Inc. and former Forensics and Incident Response Research Director with the Gartner Group, Inc.

    Bill Spernow
  • “With other tools, each Registry file has to be analyzed separately in a very time-consuming fashion. With Registry Recon, large numbers of Registry files from both allocated and unallocated space are merged into Recon Registries. I am now able to see how the Registry has changed over the life of both currently and previously installed operating systems.”

    — Stephen Swanson, President, Computer Forensic Services, LLC

    Stephen Swanson
  • “The sheer volume of Registry data that Registry Recon finds, and the methods used to visualize it, are astounding. We were able to analyze a nearly complete Registry from a previous installation of Windows that was over two years old.”

    — Ryan Maxwell, Director – Forensic West, DTI

    Ryan Maxwell
  • “I am thoroughly impressed with Registry Recon’s capabilities. Working in law enforcement, I can see how valuable it is to know how a suspect’s computer interacted with particular networks, documents, and storage devices over time.”

    — Sean Maloney, Trooper, Massachusetts State Police

    Sean Maloney
  • “The cost of Registry Recon is justified by the Recon Reports alone.  The pre-built USB Storage Devices report, for example, gives you historical information that no other computer forensics tool can.”  

    — Alex Gessen, Computer Forensics Investigator, eMag Solutions

    Alex Gessen
  • “I will tell you that (Registry Recon) did an amazing job, even after (Windows) re-install and slight use I was able to recover over a year’s worth of USB device connections… I managed to recover almost all the Registry activity I needed from a re-installed system to prove some findings thanks to Registry Recon.”

    — David Cowen – Hacking Exposed Computer Forensics Blog

    David Cowen
  • Hibernation Recon gives us the ability to quickly and accurately recover data from hibernation files missed by other tools. Output is very descriptive and helps us better understand the recovered data. Hibernation Recon will be finding a permanent place in our workflow.”

    — Peter Kohler, Esq., Digital Forensics and eDiscovery at Evidox Corporation

    Peter Kohler
  • Hibernation Recon has become DoD’s must-have tool for extracting digital artifacts from Windows hibernation files. Not only does Hibernation Recon properly reconstruct active memory for all versions of Windows when other tools fail, it is the only tool that extracts various types of “slack space”, which has yielded critical forensic artifacts for DoD’s foreign intelligence mission that could not have been obtained any other way.

    — United States Department of Defense

    US DOD
  • As a former Linux developer, I miss many things under Windows. One of them is the flexible handling of loop devices and disk dumps. Arsenal Image Mounter ports this power to the Microsoft world. You know that “X:” is a virtual thumb drive residing in RAM, but Windows won’t. And that’s only one of the many possibilities with AIM.

    — Peter Schneider, Software Development Engineer, Cascade Microtech

    Peter Schneider
See all
  • Hibernation Recon allowed us to determine that remnants of a Skype chat involving child pornography existed in hiberfil.sys slack space (related to a previous hibernation) and to correct the date and time related to those remnants provided by another tool. Within the recovered chat the sender discussed not only possessing illegal material, but having over 70GB more to send, which was important to obtaining a search warrant.”

    — Torben Strand, Special Consultant, MSc, Danish National Police Cyber Crime Center (NC3)

    Torben Strand
  • Registry Recon helps cut through tedious work and recovers valuable information that is not available without burning enormous amounts of time.”

    — Dennis O’Connor, Senior Investigator, U.S. Department of Labor

    Dennis O’Connor
  • Registry Recon is a game changer. It allows an analyst to retrieve and work with valuable Registry data that would otherwise be lost or extremely difficult to recover.”

    — Sean Cavanaugh, Forensic Analyst

    Sean Cavanaugh
  • “Typically my experiences with new digital forensic tools don’t turn out well. Registry Recon is the exception to this rule. I was quickly able to determine that a system I was analyzing had been compromised a full 6 months earlier than anyone realized, based on information Registry Recon recovered from unallocated space. It’s safe to say that Registry Recon has become part of my analysis toolkit.”

    — Bill Spernow, Chief Forensic Advisor, Law & Forensics, Inc. and former Forensics and Incident Response Research Director with the Gartner Group, Inc.

    Bill Spernow
  • “With other tools, each Registry file has to be analyzed separately in a very time-consuming fashion. With Registry Recon, large numbers of Registry files from both allocated and unallocated space are merged into Recon Registries. I am now able to see how the Registry has changed over the life of both currently and previously installed operating systems.”

    — Stephen Swanson, President, Computer Forensic Services, LLC

    Stephen Swanson
  • “The sheer volume of Registry data that Registry Recon finds, and the methods used to visualize it, are astounding. We were able to analyze a nearly complete Registry from a previous installation of Windows that was over two years old.”

    — Ryan Maxwell, Director – Forensic West, DTI

    Ryan Maxwell
  • “I am thoroughly impressed with Registry Recon’s capabilities. Working in law enforcement, I can see how valuable it is to know how a suspect’s computer interacted with particular networks, documents, and storage devices over time.”

    — Sean Maloney, Trooper, Massachusetts State Police

    Sean Maloney
  • “The cost of Registry Recon is justified by the Recon Reports alone.  The pre-built USB Storage Devices report, for example, gives you historical information that no other computer forensics tool can.”  

    — Alex Gessen, Computer Forensics Investigator, eMag Solutions

    Alex Gessen
  • “I will tell you that (Registry Recon) did an amazing job, even after (Windows) re-install and slight use I was able to recover over a year’s worth of USB device connections… I managed to recover almost all the Registry activity I needed from a re-installed system to prove some findings thanks to Registry Recon.”

    — David Cowen – Hacking Exposed Computer Forensics Blog

    David Cowen
  • Hibernation Recon gives us the ability to quickly and accurately recover data from hibernation files missed by other tools. Output is very descriptive and helps us better understand the recovered data. Hibernation Recon will be finding a permanent place in our workflow.”

    — Peter Kohler, Esq., Digital Forensics and eDiscovery at Evidox Corporation

    Peter Kohler
  • Hibernation Recon has become DoD’s must-have tool for extracting digital artifacts from Windows hibernation files. Not only does Hibernation Recon properly reconstruct active memory for all versions of Windows when other tools fail, it is the only tool that extracts various types of “slack space”, which has yielded critical forensic artifacts for DoD’s foreign intelligence mission that could not have been obtained any other way.

    — United States Department of Defense

    US DOD
  • As a former Linux developer, I miss many things under Windows. One of them is the flexible handling of loop devices and disk dumps. Arsenal Image Mounter ports this power to the Microsoft world. You know that “X:” is a virtual thumb drive residing in RAM, but Windows won’t. And that’s only one of the many possibilities with AIM.

    — Peter Schneider, Software Development Engineer, Cascade Microtech

    Peter Schneider
Close

Flexible pricing options

Each subscription includes access to all the Arsenal tools! Pick the subscription that works for you – without the hassle of maintenance fees.

1 Month

$49

Great for applying Arsenal’s tools on an important case, with zero commitment.
Email Support
Renew Anytime
Zero-Commitment

1 Year

$570.36

Perfect for investigators that need to purchase tools on an annual budget cycle.
Includes 3% Discount
Email Support
Renew Annually
Locked-in Pricing

3 Years

$1,605.24

Great for investigators who want to lock-in a low price long term.
Includes 9% Discount
Email Support
Renew Every 3 Years
Locked-in Pricing

5 Years

$2,499

Perfect for investigators who want to lock-in a low price for as long as possible and get the largest discount.
Includes 15% Discount
Email Support
Renew Every 5 Years
Locked-in Pricing

For additional plan options, contact sales.

You can extend or renew an existing license here.

If you need more assistance, follow our Extending/Renewing Arsenal Recon Subscriptions Guide

Please note: by selecting a subscription button above (or following the link to extend/renew an existing subscription) you will leave the ArsenalRecon.com website and be directed to our e-commerce partner Avangate, an authorized reseller of Arsenal Recon products.

Looking for the latest

versions of our tools?

Our Mission

To eliminate blind spots in digital forensics by exploiting electronic evidence in unique and powerful ways.

Team

Our team is led by Mark Spencer, whose philosophy is “Don’t settle for the easy way, strive for the right way.” We are computer forensics experts from Arsenal Consulting and world-class developers who live and breathe operating system internals. We are passionate about computer forensics and dedicated to the preservation and analysis of electronic evidence using the most powerful technologies available. In our quest to dig deeper, we got tired of waiting for solutions to meet our needs – So we began building our own.

Mark Spencer

Mark Spencer

President

Brian Gerdon

Computer Forensics Examiner

Emina Doherty

Computer Forensics Analyst

Olof Lagerkvist

Software Development

JoakimSchicht2

Joakim Schicht

Software Development

Get in touch with us

Sign up for the latest news and product info from Arsenal Recon

Join our mailing list to arm yourself with Arsenal Recon updates and tools! Our mailing list is double opt-in so you will need to check your email before receiving our mailing list or downloading our tools. Please note, for the purpose of downloading our tools, cookies are required for our website to remember you in the future.




Address:

22 Willow Street
Chelsea MA, 02150

Email:

info@ArsenalRecon.com