Registry Recon requires Microsoft Windows 7 or later, .NET 4, and the Visual C++ 2010 Redistributable Package (x86/x64).

The Registry is a complex ecosystem, in database form, containing information related to hardware, software, and users on computer systems running Microsoft Windows. At a very basic level, the Registry is composed of “keys” and “values” which are similar in some ways to folders and files. Analysis of this information reveals the names of recently accessed files when applications were last run, who attached removable storage devices, and much more. The Registry is continually referenced during Windows operation so large volumes of Registry data can always be found both on disk and in live memory.

Recon Registries are all the Registries rebuilt by Registry Recon. Recon View is our method of showing you all the values within them in a unique and historical fashion, with seamless access to all instances of those values if you so desire.

Registry Recon supports adding forensic images in EnCase (E01) and raw (dd) formats, VHD disk images, physically mounted slave drives, and the contents of directories as evidence.

You can find sample evidence here, here, and here.

If a full set of hives (particularly System and Software) are available for any particular Registry, its Recon Registries name will include the system name, Windows version, and install date. If a System hive is available, but a Software hive is not, the name will include the system name and Machine Security ID (“MSID”). If a Software hive is available, but a System hive is not, the name will include the Windows version and install date. If both System and Software hives are missing, the name will simply include an MSID.

It’s important to keep in mind that in the context of computer forensics, “deleted” and “overwritten” are two very different things. Registry Recon is often very successful rebuilding Registries which have been deleted and only exist in unallocated (deleted) space. Registry Recon cannot however rebuild Registries if they have been overwritten – for example, if a data scrubbing tool has been used to overwrite unallocated space.

You can get the latest version of Registry Recon from our Downloads page.

If you want your air-gapped workstation properly licensed for Registry Recon, please:

• Open Registry Recon and enter the license code you were given

• Upon realizing that no Internet connection is available, Registry Recon will save a “.LIC” file to your ProgramData\ArsenalRecon folder

• On a workstation with Internet access, go to our Offline Activation page and upload the “.LIC” file.

• Finally, copy the CDM file you receive to your ProgramData\ArsenalRecon folder

Your air-gapped workstation is now ready to run Registry Recon!

Certain computer forensics applications can interfere with physical drives being added as evidence to Registry Recon, so Arsenal recommends refraining from their use while Adding Evidence.

We are working on a large number of updates which include support for live memory captures, greatly improving searching, bookmarking, and reporting functionality, and performance tuning.