Supriya Ghosh (Editor)

Registry Recon

Updated on
Edit
Like
Comment
Share on FacebookTweet on TwitterShare on LinkedInShare on Reddit
Developer(s)
  
Arsenal Recon

Operating system
  
Microsoft Windows

Development status
  
Active

Available in
  
English

Initial release
  
October 2012; 4 years ago (October 2012)

Stable release
  
2.10.0015 / November 2014; 2 years ago (November 2014)

Registry Recon is a computer forensics tool that allows users to see how Registries from both current and former installations of Microsoft Windows have changed over time. It was developed by Arsenal Recon, whose slogan is "Computer forensics tools by computer forensics experts." Registry Recon first extracts Registry information from a piece of evidence (disk image, properly mounted slave drive, etc.), whether that information was active, backed up in restore points or Volume Shadow Copies, or deleted. Registry Recon then rebuilds all the Registries represented by the extracted information. Registry Recon was the first (and is currently the only) digital forensics tool to rebuild Registries from both active and previous installations of Windows. The product is named after the French word reconnaissance ("recognition"), the military concept of probing unfriendly territory for tactical information.

Contents

Overview

The Windows Registry is a core component of all modern versions of Microsoft Windows. It is a complex ecosystem, in database form, containing information related to hardware, software, and users which is useful to computer forensics practitioners. At a very basic level, the Registry is composed of "keys" and "values" which are similar in some ways to folders and files. The Registry is continually referenced during Windows operation so large volumes of Registry data can be found both on disk and in volatile memory. Registry Recon was designed to address two major shortcomings of existing computer forensics tools - seamlessly recovering as much Registry information as possible from a piece of evidence, and rebuilding it in such a way that the user is able to see how the Registry (or Registries) changed over time.

Capabilities

  • Registry Rebuilding: Extracted Registry information is used to rebuild Registries ("Recon Registries") that have existed on a piece of evidence over time
  • Recon View: Rebuilt Registries are visualized in a manner that allows the user to see unique values by default and all instances of those values if so desired
  • Key History: Keys and their values can be viewed at particular points in time
  • Recon Reports: Pre-built reports requested by the computer forensics community
  • Windows Backup Support: Restore points and Volume Shadow Copies are parsed during evidence ingestion
  • Registry Hive Carving: Registry hives (complete and partial) are carved and parsed from unallocated (a/k/a deleted) space during evidence ingestion
  • Deleted Key Recovery: Deleted keys within hives (i.e. keys which are no longer known to their parent) are parsed during evidence ingestion
  • Automatic Decoding: Obfuscated data, whether ROT13 encrypted and/or simply stored in binary form (e.g. UserAssist keys), is automatically decoded

    • Additional capabilities and improvements are planned, such as selective data parsing (as opposed to entire images / directories), more automated report features, live memory analysis, and improved search functions.

    References

    Registry Recon Wikipedia
    (Text) CC BY-SA