What does HiveRecon do?
HiveRecon extracts Registry hives from Windows hibernation and crash dump files, often extracting hives when other solutions have completely failed and extracting healthier (more intact) hives when other solutions have appeared to run successfully. HiveRecon also extracts volatile hives and can incorporate swap files from the same hibernation session to extract even healthier Registry hives than if using a hibernation file alone.
Years ago when I was an adjunct professor teaching digital forensics at Bunker Hill Community College in Boston I very much appreciated both the free and discounted licenses provided by commercial software vendors. I am now working on having Arsenal formalize and publicize our practice of providing free software (beyond the “Free Mode” functionality offered in some of our tools) each semester to digital forensics programs at colleges and universities. […]
Colleagues in digital forensics, please ask yourselves – do you find Arsenal Image Mounter (“AIM”) useful? Could your consulting, training, or software/hardware organization use great karma and a boost in public relations? […]
A little curiosity can go a long way in digital forensics!
One of our recent cases involved an ongoing dispute between two executives who we’ll call Alice and Eve. Their dispute escalated when Alice returned after a day out of the office and noticed that her Gmail account was open on a shared computer they both used. Alice became suspicious that someone had accessed her Gmail account (she had forgotten to log out of it when she was last in the office) while she was gone. One of Alice’s coworkers told her that Eve had been using the shared computer on the day in question. Alice took a quick look at the Chrome web browser’s history, which seemed to confirm her suspicion — she saw activity which appeared to be related to her account while she was away. Alice reached out to her lawyer with her concerns, and her lawyer reached out to us.
August 9, 2018
How does exposing Windows Registry data you’ve never seen before sound to you?
We launched two new tools with powerful and unique functionality today – HiveRecon and HbinRecon. We are confident that our customers and colleagues, particularly those interested in the maximum exploitation of electronic evidence, will be pleased that we are yet again exposing valuable information that has not been possible previously.
Who in DFIR doesn’t like a good challenge?
We had a case recently in which modifications made to a Windows XP Registry, and the impact of those changes on the environment of a particular domain account, were quite important. Digital forensics practitioners on the other side of our case developed their findings on this issue by virtualizing a forensic image obtained from the computer and logging into it with a local account, rather than the domain account in question. Why?
After reading about how to manually analyze Quick Look data, we’re sharing with you a method to collect Quick Look data on a live macOS machine so you can test and validate cached data yourself!
Check out our walkthrough video and the steps following:
Arsenal Quick Look Cache Parsing Video
In our intellectual property theft investigations, our clients will often ask us about specific file names they care about, especially when data theft or destruction is suspected. Often these files are keys to the kingdom: proprietary engineering plans, customer lists, or confidential financial information.
We are very happy to launch a new version (v2.6.35) of Arsenal Image Mounter (AIM) today! You can get the latest version of AIM (and our other tools) here. We know how popular AIM has become in the digital forensics community (and beyond), so we are continuing to add more powerful functionality to both Free and Professional Modes.
I was asked to take a recent flurry of Tweets and turn them into an Insights post with more detail. So, here goes!
We have spent some time at Arsenal looking at particularly important Windows Registry keys which are sometimes only found, in their most recent state, within Fast Boot hibernation and/or Registry hive transaction logs. In other words, these are important Registry keys that you may not find in their most recent state within active hives. We focused on important keys because it makes the situation more relatable to our colleagues in digital forensics. In this Insights post, we are further focusing on the following key from the SOFTWARE hive:
Arsenal Image Mounter was born when we found existing disk image mounting technology lacking during the development of our premier digital forensics tool Registry Recon. Since we now have quite a bit of experience being in a position where a powerful disk image mounter would take our project to the next level, we offer the Arsenal Image Mounter source code and APIs to commercial projects with an appropriate license and to open source projects royalty free.
In late December 2017 I was alerted to someone looking for help to repair a damaged video from a dash cam, a video which may have captured a horrible accident.
Attendees Will Learn About Electronic Evidence Tampering that Evaded Detection by Digital Forensics Experts
Mark Spencer, President of Arsenal Consulting (ArsenalExperts.com) has been selected to open the OverDrive hacking conference in Spain with the most recent version of his award-winning presentation “High Stakes Evidence Tampering and the Failure of Digital Forensics” on April 18. The OverDrive conference is focused on enhancing the camaraderie of the worldwide hacker community by connecting people involved in many different aspects of computer security.
Why did we design the Windows hibernation infographic?
You can imagine how many emails we get about Windows hibernation files since we released Hibernation Recon. We noticed some misconceptions being repeated in these emails, so we decided to address them in an infographic that the digital forensics community could use as a resource and help us improve. We consider the infographic we are launching today to be the first version, as we already have more than enough interesting information to include on the reverse side of our second version.