Arsenal's Surgical Tools

Dig harder, find more!

Additional Tools Included with an Arsenal Subscription

HBIN Recon HBIN Recon

HBIN Recon identifies and parses Windows Registry hive bins (hbins) and loose hive bin records from any input. Hive bins are essentially the building blocks of Registry hives. Examples of HBIN Recon input include healthy Registry hives, fragmented hives, hive transaction logs, Transactional Registry (TxR) files, and hive bins and loose hive bin records already carved by HBIN Recon's Mode 4 from swap (both as-is and brute-force decompressed), hibernation and hibernation slack (first processed by Hibernation Recon), memory dumps (for complete memory dumps you may also want to leverage Hive Recon), file slack, and unallocated space. HBIN Recon is a surgical tool which is useful not only with testing and verification related to Registry data, but in uncovering valuable data not accessible using other methods - for example, HBIN Recon runs various “Hunter” modules during processing which extract/decode/decrypt BAM, SECURITY secrets and cache entries, Syscache, UserAssist, MACs (BSSIDs!), and scheduled task information within individual hive bins and loose hive bin records.


Hive Recon Hive Recon

Hive Recon extracts Registry hives from Windows hibernation and crash dump files, often extracting hives when other solutions have completely failed and extracting healthier (more intact) hives when other solutions have appeared to run successfully. Hive Recon can also extract hives from memory captures, provided they have already been converted to crash dump format. Hive Recon supports the extraction of volatile (in addition to stable) hives and incorporation of swap files from the same hibernation or crash dump session to extract even healthier Registry hives.


ODC Recon ODC Recon

ODC Recon extracts documents and metadata from the Office Document Cache (ODC) by parsing the FSD files contained within each ODC. Individual FSD files often contain not only multiple versions of Office documents, but Office documents which are no longer available elsewhere. ODC Recon was built when Arsenal found no reliable methods to parse FSD files, which have been very valuable to our casework.


LevelDB Recon LevelDB Recon

LevelDB Recon parses LevelDB files (ldb, log, and sst extensions) more comprehensively and reliably than other tools we have evaluated. In other words, LevelDB Recon has been designed for maximum exploitation of LevelDB files - ultimately revealing records missed by other methods. LevelDB Recon includes logic to help make sense of the chaos often found within LevelDB data - for example, logic that attempts to locate and decode (in a human-friendly manner) many different types of timestamps.


Swap Recon Swap Recon

Swap Recon performs brute-force decompression of Windows 10 and 11 swap (e.g. pagefile.sys and swapfile.sys). Swap Recon was built when we could not find any tools or techniques to decompress modern Windows swap both comprehensively and usefully in one of our highest-stakes cases. Please note that Swap Recon processing is extremely computationally time intensive, and we recommend running it on the most powerful hardware you have available to you - ideally on Amazon EC2 (Elastic Compute Cloud).

Swap Recon run against sample swap chunk from Defcon DFIR CTF 2019

Arsenal’s Open Source Digital Forensics Tools

Backstage Parser is a Python tool that can be used to parse the contents of Microsoft Office files found in the “\BackstageinAppNavCache” path.

GITHUB

CyberGate Keylogger Decryption Tool is a Python tool that can be used against CyberGate encrypted keylogger files to decode the cipher text and return the original plaintext that was captured by the Remote Access Trojan (RAT).

GITHUB

Gmail URL Decoder is a Python tool that can be used against plaintext or arbitrary raw data files in order to find, extract, and decode information from Gmail URLs related to both the new and legacy Gmail interfaces.

GITHUB

NetWire Log Decoder is an AutoIt tool that carves and parses (a/k/a scans, filters, and decodes) NetWire log data from files or devices. NetWire versions 1.6 and 1.7, on Windows and Linux, have been tested.

GITHUB

Sdba Parser is an AutoIt tool that carves and parses Sdba memory pool tags (produced by Windows 7) from any input file. Sdba memory pool tags contain executable file paths and NTFS last written timestamps (at time of execution).

GITHUB

NwStacks is an AutoIt tool that assists with NetWire stack analysis. This tool (and other information on its GitHub project) is associated with the article "Forensic Analysis of the NetWire Stack" in Digital Forensics Magazine Issue 52.

GITHUB

Pricing & Plans

Each of our subscription options includes access to all the Arsenal tools, both those that exist now and those we release while the subscription is active! Pick the subscription that works for you without the hassle of maintenance fees.

1 Year Plan
$756
~ $63/mo | Save 3%
    • Email Support

    • Purchase Annually

    • Locked-in Discount

3 Year Plan

$2,129

~ $59/mo | Save 9%

5 Year Plan

$3,315

~ $55/mo | Save 15%

Prices shown in USD and without tax.

Join the List

Arm yourself with updates about Arsenal tools, training, and research. Our mailing list is double opt-in so you will need to check your email and confirm your subscription before receiving our mailings.