HiveRecon extracts Registry hives from Windows® hibernation and crash dump files, often extracting hives when other solutions have completely failed and extracting healthier (more intact) hives when other solutions have appeared to run successfully. HiveRecon can also extract hives from memory captures, provided they have already been converted to crash dump format. HiveRecon supports the extraction of volatile (in addition to stable) hives, decompression of hive bins within compressed memory pages, and incorporation of swap files from the same hibernation session to extract even healthier Registry hives than if using a hibernation file alone.
HiveRecon functionality will be incorporated into both Hibernation Recon and Registry Recon in the future. Arsenal is releasing HiveRecon as a stand-alone CLI-based tool now in order to get extremely powerful and unique functionality (used by Arsenal internally) in the hands of customers more quickly. Please note that Arsenal’s primary goals with CLI-based tools include accuracy and reliability, with performance being a secondary concern. In other words, in some circumstances you may want to go get a coffee (or go to sleep, coming back to your workstation refreshed for digital forensics!) while HiveRecon is running.
Category: Arsenal Recon
Category URL: http://www.dfir.training/component/mtree/by-developer/arsenal-recon?Itemid=