Registry Recon
 | |
|
Registry Recon UI showcasing six unique Windows Registries (associated with multiple installs of Windows over time) recovered from a single laptop. | |
| Developer(s) | Arsenal Recon |
|---|---|
| Initial release | October 2012 |
| Stable release |
2.10.0015
/ November 2014 |
| Development status | Active |
| Operating system | Microsoft Windows |
| Available in | English |
| Type | Computer Forensics |
| License | Proprietary |
| Website | http://ArsenalRecon.com/ |
Registry Recon is a computer forensics tool that allows users to see how Registries from both current and former installations of Microsoft Windows have changed over time. It was developed by Arsenal Recon, whose slogan is "Computer forensics tools by computer forensics experts." Registry Recon first extracts Registry information from a piece of evidence (disk image, properly mounted slave drive, etc.), whether that information was active, backed up in restore points or Volume Shadow Copies, or deleted. Registry Recon then rebuilds all the Registries represented by the extracted information. Registry Recon was the first (and is currently the only)[1] digital forensics tool to rebuild Registries from both active and previous installations of Windows. The product is named after the French word reconnaissance ("recognition"), the military concept of probing unfriendly territory for tactical information.
Overview
The Windows Registry is a core component of all modern versions of Microsoft Windows. It is a complex ecosystem, in database form, containing information related to hardware, software, and users which is useful to computer forensics practitioners. At a very basic level, the Registry is composed of "keys" and "values" which are similar in some ways to folders and files. The Registry is continually referenced during Windows operation so large volumes of Registry data can be found both on disk and in volatile memory. Registry Recon was designed to address two major shortcomings of existing computer forensics tools - seamlessly recovering as much Registry information as possible from a piece of evidence, and rebuilding it in such a way that the user is able to see how the Registry (or Registries) changed over time.
Capabilities
- Registry Rebuilding: Extracted Registry information is used to rebuild Registries ("Recon Registries") that have existed on a piece of evidence over time
- Recon View: Rebuilt Registries are visualized in a manner that allows the user to see unique values by default and all instances of those values if so desired
- Key History: Keys and their values can be viewed at particular points in time
- Recon Reports: Pre-built reports requested by the computer forensics community
- Windows Backup Support: Restore points and Volume Shadow Copies are parsed during evidence ingestion
- Registry Hive Carving: Registry hives (complete and partial) are carved and parsed from unallocated (a/k/a deleted) space during evidence ingestion
- Deleted Key Recovery: Deleted keys within hives (i.e. keys which are no longer known to their parent) are parsed during evidence ingestion
- Automatic Decoding: Obfuscated data, whether ROT13 encrypted and/or simply stored in binary form (e.g. UserAssist keys), is automatically decoded
Additional capabilities and improvements are planned, such as selective data parsing (as opposed to entire images / directories), more automated report features, live memory analysis, and improved search functions.[2] [3] [4] [5] [6]
See also
References
- ↑ NIST search for forensic tools by functionality, December 20, 2012
- ↑ review by Forensic Control, February 15, 2013
- ↑ CyberSpeak interview with Registry Recon developer February 18, 2013
- ↑ Law Journal Newsletters September 2013
- ↑ David Cowen interview with Registry Recon developer from 21:05 to 42:05, March 7, 2014
- ↑ David Cowen review of Registry Recon September 30, 2014