HbinRecon identifies and parses Windows® Registry hive bins (hbins) from any input. Hive bins are essentially the building blocks of Registry hives. Examples of HbinRecon input include healthy Registry hives, fragmented hives, hive transaction logs, and unallocated space. HbinRecon is a surgical tool which is extremely useful in both testing and verification related to Registry data as well as uncovering valuable data not accessible using other methods.
HbinRecon functionality will be incorporated into Registry Recon in the future. Arsenal is releasing HbinRecon as a stand-alone CLI-based tool now in order to get extremely powerful and unique functionality (used by Arsenal internally) in the hands of customers more quickly. Please note that Arsenal’s primary goals with CLI-based tools include accuracy and reliability, with performance being a secondary concern. In other words, in some circumstances you may want to go get a coffee (or go to sleep, coming back to your workstation refreshed for digital forensics!) while HbinRecon is running.
Category: Arsenal Recon
Category URL: http://www.dfir.training/component/mtree/by-developer/arsenal-recon?Itemid=