User:Bgs876/sandbox: Difference between revisions
misc. grammar, added a link |
date of latest version |
||
| Line 12: | Line 12: | ||
| released = {{start date and age|October 2012}} |
| released = {{start date and age|October 2012}} |
||
| discontinued = |
| discontinued = |
||
| latest release version = 2.0.0. |
| latest release version = 2.0.0.0530 |
||
| latest release date = {{Start date and age| |
| latest release date = {{Start date and age|January 2013}} |
||
| latest preview version = |
| latest preview version = |
||
| latest preview date = <!-- {{Start date and age|YYYY|MM|DD|df=yes/no}} --> |
| latest preview date = <!-- {{Start date and age|YYYY|MM|DD|df=yes/no}} --> |
||
Revision as of 17:59, 25 January 2013
| File:Arsenal logo image.img | |
| File:Registry recon window shot image.img Registry Recon UI showcasing multiple Registries recovered from a single laptop. | |
| Original author(s) | Arsenal Recon |
|---|---|
| Initial release | October 2012 |
| Stable release | 2.0.0.0530
/ January 2013 |
| Operating system | Microsoft Windows |
| Available in | English |
| Type | Computer Forensics |
| License | Proprietary |
| Website | http://ArsenalRecon.com/ |
Registry Recon is a computer forensics tool that allows users to see how Registries from both current and former installations of Microsoft Windows have changed over time. It was developed by Arsenal Recon, whose slogan is "Computer forensics tools by computer forensics experts." Registry Recon first extracts Registry information from a piece of evidence (disk image, properly mounted slave drive, etc.), whether that information was active, backed up in restore points or Volume Shadow Copies, or deleted. Registry Recon then rebuilds all the Registries represented by the extracted information. The product is named after the French word reconnaissance ("recognition"), the military concept of probing unfriendly territory for tactical information.
Overview
The Windows Registry is a core component of all modern versions of Microsoft Windows. It is a complex ecosystem, in database form, containing information related to hardware, software, and users which is useful to computer forensics practitioners. At a very basic level, the Registry is composed of "keys" and "values" which are similar in some ways to folders and files. The Registry is continually referenced during Windows operation so large volumes of Registry data can be found both on disk and in volatile memory. Registry Recon was designed to address two major shortcomings of existing computer forensics tools - seamlessly recovering as much Registry information as possible from a piece of evidence, and rebuilding it in such a way that the user is able to see how the Registry (or Registries) changed over time.
Capabilities
- Registry Rebuilding: Extracted Registry information is used to rebuild Registries ("Recon Registries") that have existed on a piece of evidence over time
- Recon View: Rebuilt Registries are visualized in a manner that allows the user to see unique values by default and all instances of those values if so desired
- Key History: Keys and their values can be viewed at particular points in time
- Recon Reports: Pre-built reports requested by the computer forensics community
- Windows Backup Support: Restore points and Volume Shadow Copies are parsed during evidence ingestion
- Registry Hive Carving: Registry hives (complete and partial) are carved and parsed from unallocated (a/k/a deleted) space during evidence ingestion
- Deleted Key and Value Recovery: Deleted keys and values within hives (i.e. keys and values which are no longer known to their parent) are parsed during evidence ingestion
See also
References
Reviews, press releases?
External links
Category:Computer forensics Category:Digital forensics software