Products

Eliminate blind spots in digital forensics by exploiting electronic evidence in unique and powerful ways.

Arsenal Image Mounter

Many Windows®-based disk image mounting solutions mount the contents of disk images as shares or partitions, rather than “complete” (a/k/a “physical” or “real”) disks, which limits their usefulness to digital forensics practitioners and others. Arsenal Image Mounter mounts the contents of disk images as complete disks in Windows. As far as Windows is concerned, the contents of disk images mounted by Arsenal Image Mounter are real SCSI disks, allowing users to benefit from disk-specific features like integration with Disk Manager, access to Volume Shadow Copies, launching virtual machines, and more.

If AIM is run without a license, it will run in “Free Mode” and provide core functionality. If AIM is licensed, it will run in “Professional Mode” with full functionality enabled. Information for developers about the use of AIM’s source code and APIs can be found in our FAQ entry “Use and License.”

Hibernation Recon

 

The exploitation of Windows hibernation files to “look back in time” and uncover compelling evidence is crucial to digital forensics practitioners. Hibernation Recon not only supports active memory reconstruction from Windows XP, Vista, 7, 8/8.1, and 10 hibernation files, but also extracts massive volumes of information from the multiple types (and levels) of slack space that often exist within them. Additional features of Hibernation Recon include the automatic recovery of valuable NTFS metadata and parallel processing of multiple hibernation files. Digital forensics practitioners can no longer afford to analyze electronic evidence without extracting maximum value from Windows hibernation files.

If Hibernation Recon is run without a license, it will run in “Free Mode” and provide core functionality. If Hibernation Recon is licensed, it will run in “Professional Mode” with full functionality enabled.

The exploitation of Windows hibernation files to “look back in time” and uncover compelling evidence is crucial to digital forensics practitioners. Hibernation Recon not only supports active memory reconstruction from Windows XP, Vista, 7, 8/8.1, and 10 hibernation files, but also extracts massive volumes of information from the multiple types (and levels) of slack space that often exist within them. Additional features of Hibernation Recon include the automatic recovery of valuable NTFS metadata and parallel processing of multiple hibernation files. Digital forensics practitioners cannot afford to analyze electronic evidence without extracting maximum value from Windows hibernation files.

If Hibernation Recon is run without a license, it will run in “Free Mode” and provide core functionality. If Hibernation Recon is licensed, it will run in “Professional Mode” with full functionality enabled.

Hibernation Recon

 

Registry Recon

Registry forensics has long been relegated to analyzing only readily accessible Windows Registries, often one at a time, in a needlessly time-consuming and archaic way. Registry Recon is not just another Registry parser. Arsenal developed powerful new methods to parse Registry data so that Registries which have existed on a Windows system over time can be rebuilt, providing unique insight into how Registry data has changed over time. Registry Recon provides access to an enormous volume of Registry data which has been effectively deleted, whether that deletion occurred due to benign system activity, malfeasance by a user, or even re-imaging by IT personnel.

HBIN Recon

HBIN Recon identifies and parses Windows Registry hive bins (hbins) from any input. Hive bins are essentially the building blocks of Registry hives. Examples of HBIN Recon input include healthy Registry hives, fragmented hives, hive transaction logs, swap files, hibernation slack (first processed by Hibernation Recon), and unallocated space. HBIN Recon is a surgical tool which is extremely useful in both testing and verification related to Registry data, as well as uncovering valuable data not accessible using other methods.

HBIN Recon identifies and parses Windows Registry hive bins (hbins) from any input. Hive bins are essentially the building blocks of Registry hives. Examples of HBIN Recon input include healthy Registry hives, fragmented hives, hive transaction logs, swap files, hibernation slack (first processed by Hibernation Recon), and unallocated space. HBIN Recon is a surgical tool which is extremely useful in both testing and verification related to Registry data, as well as uncovering valuable data not accessible using other methods.

HBIN Recon

Hive Recon

Hive Recon extracts Registry hives from Windows hibernation and crash dump files, often extracting hives when other solutions have completely failed and extracting healthier (more intact) hives when other solutions have appeared to run successfully. Hive Recon can also extract hives from memory captures, provided they have already been converted to crash dump format. Hive Recon supports the extraction of volatile (in addition to stable) hives, decompression of hive bins within compressed memory pages, and incorporation of swap files from the same hibernation session to extract even healthier Registry hives than if using a hibernation file alone.

Backstage Parser

Arsenal’s Backstage Parser is an open source Python tool that can be used to parse the contents of Microsoft Office Backstage files. Backstage records have been very important in some Arsenal casework due to the fact that references to relevant remote targets could not be recovered from anywhere else within forensic images.

Arsenal’s Backstage Parser is an open source Python tool that can be used to parse the contents of Microsoft Office Backstage files. Backstage records have been very important in some Arsenal casework due to the fact that references to relevant remote targets could not be recovered from anywhere else within forensic images.

Backstage Parser

CyberGate Log Decrypt

Arsenal’s CyberGate Log Decrypt is an open source Python tool that can be used against CyberGate Remote Access Trojan (RAT) encrypted keylogger files (either whole or in part, provided that the individual record is intact) to decode the cipher text and return the originally captured plaintext.

Ready To Get Started?

22 Willow Street Chelsea, MA 02150

sales@ArsenalRecon.com

(617) ARSENAL

or (617) 277-3625

Site Map

\

Home

\

Products

\

Downloads

\

Pricing

\

Training

\

Testimonials

\

Insights

\

Contact

\

FAQ

Legal

\

Privacy Policy

\

Terms & Conditions

\

Cookie Policy

Follow Us

LinkedIn

Twitter

Facebook