Registry Recon

Reviewed by Cheryl A. Purdy, MBA, A+, CCNA, CCAI, ACE, AME

Executive Summary

Registry Recon, developed by Arsenal Recon, is a powerful computer forensics tool used to extract, recover, and parse registry data from Windows systems. The process of manually scouring Windows Registry files proves to be extremely time consuming and leaves gaping holes in the ability to recover critical information. What makes this tool superior to others is its capability to examine registry files not only from the current installation of a Windows operating system, but former installations as well. In addition, this application can be used to quickly and efficiently determine external devices that have been connected to the computer. The company’s slogan is, “Computer forensics tools by computer forensics experts.” This tool certainly affirms the slogan!Installation

For the most part, the installation of the product was straightforward. However, installation requires Microsoft Visual Studio C++ 2010 Redistributable and the .NET Framework 4 packages. As shown in Figure 1, you may already have multiple versions of the Redistributable package installed. But each installation contains different libraries.

I already had the Visual C++ Redistributable for Visual Studio 2005, 2013, and 2015 packages installed on my Windows 10 machine.

Microsoft Visual C++ is an integrated development environment (IDE) often used in the development of software for Windows operating systems. Quite often when new software is coded, the programmers will make use of a number of the standard libraries included in the Redistributable and .NET packages.

These libraries include common code that has already been pre-written and tested by Microsoft. Many times the Redistributable package is included within the installation files/steps of the software package. That was not the case here. I had to download and install the Visual C++ Redistributable 2010 package prior to installationof Registry Recon. Just a tiny snag!

What is the Windows Registry?

The Windows Registryis a central repository that stores numerous configuration settings in the Windows operating system(s). The Registry stores settings for software, hardware, users, the operating system configuration, and much more. The registry is organized in a hierarchical structure of subtrees, keys, subkeys, and entries. The 5 root keys are called the “HKEYs”.

Registry “hives” are backed by a set of files that are stored in the Windows\System32\Config folder (SAM, SYSTEM, SECURITY, SOFTWARE, and DEFAULT) or the USERS\username (NTUSER.DAT) folders. Forensic examiners can glean a wealth of information from these registry files, to include: system configuration; devices on the system; users; personal settings and browser preferences; network locations; web browsing activity; programs executed; passwords, and much, much more!

Product Features and Capabilities

Now that we’ve completed a lesson on the Windows registry in general, let’s look at the capabilities of Registry Recon. In short, Registry Recon features:

– Resurrection of Windows Registries from previous installations
– Access to deleted Registry data
– Unique keys and values shown in historical fashion
– Access to all instances of keys and values
– Restore point and volume shadow copy support
– View keys (and their values) at particular points in time

Registry Recon aggressively searches for registry data (whether active, backed up, or even deleted) and reconstructs and parses data into a useful format, even showing how the registries from current and former installations have changed over time.

This software was developed with three primary goals. The first priority was to seamlessly harvest as many hives as possible from a piece of evidence to lay a solid foundation for processing and analysis. The second involved “Hive Association” and Registry rebuilding, and the third goal was the development of technologies to facilitate the analysis of the large numbers of hives.

Registry Recon is not just another Registry parser. It uses new methods to parse Registry data, rather than relying on Microsoft APIs, so that Registries which have existed on a Windows system over time can be viewed.

Examining Evidence

In order to add evidence to the case, go to the Evidence menu, select Add and Mount Forensic Image. Select the type of image to be added. Registy Reconsupports EnCase (.E01), raw disk images (.dd), and a variety of virtual hard drive images, including .vhd, .vdi, and .vmdk. Once you have selected your image, then click the Open button. The image is now mounted and highlighted. Click Add, give the evidence a name, and click OK to proceed. Your mounted evidence will be ingested. Inaddition to mounting a full image, contents of a directory containing previously exported registry files can be added.

Once the import of the mounted image is complete, click Proceed.

You may see a complete view of the log file (Figure 4) by either selecting Show Details, or navigating to the output folder and opening the output.log file.

In order to present a fair review of this product, I examined registries from multiple Windows operating systems, including a virtual machine. These included Windows 7 Professional, Windows 10, a .vdi virtual machine loaded with Windows 8.1, and the culminating project I assign my students in the Computer Forensics course I teach. The Windows 7 machine was reimaged to install the Windows 10 operating systems.

As shown in Figure 5, the default view includes the Recon Registries pane, Key History pane, and the Recon View pane. First, the Recon Registries pane contains the name I assigned to each of the images I mounted in the beginning. Upon expanding these, each of the registry keys associated with this particular image are given. The Key History pane shows the occurrences of the keys selected in the Recon Registries pane. And, last, the contents of the Recon View pane are populated based on the user selection(s) in the other two panes.

Upon expanding the mounted image located in the Recon Registries pane, the first thing you will see is information about the system, or in this case, systems, being examined. You can see in Figure 6 below a Windows 8.1 Pro operating system. Next, a Windows 7 Professional system, and last, a Windows 10 Education system.

Let’s talk about the Windows 10 system for a minute… This computer was purchased with a Windows 7 Professional operating system, so I anticipated two systems in this view. What I did not anticipate was the other two systems. These two systems are forensics images, including registry files, I use in teaching my digital forensics courses. The ability of Registry Recon to scour an entire image for registry files is what makes this software uniquely superior to other registry forensic tools!

As seen below in Figure 7, by further expanding each entry, you will see the available HKEYs, along with the registry files SAM, SECURITY, SOFTWARE and SYSTEM. Notice in the Unassociated Hives, the HKEYs are coded in red. In the Recon Registries pane, values flagged in red were not found in the active Windows installation(s).

Navigating through the data, as a registry item is selected in the left pane, the other two panes are auto-populated. Notice the Key History pane is now populated, as is the Recon view.

The values populated in these two panes can be further expanded by clicking on the arrow pointing to the right, as shown below in Figure 9.

Any key can be bookmarked, with or without children, and any key can be exported as well. Exports are provided in a .csv format.

One of my favorite features is the default Recon Report categories. I have completed numerous examinations in which I needed to know of external storage devices that had been attached to the system under examination. Of course, one way to determine this, as shown in Figure 12, is to navigate through the registry by locating the System registry file in the HKEY_LOCAL_MACHINE branch of the registry, then to the appropriate ControlSet. From there, navigate to DeviceClasses and examine each subtree individually. This can be quite time consuming. In addition to viewing this information from within Registry Recon, it can also be exported into an Excel file.

However, embedded into this software is a default report category for USB Storage Devices that GREATLY simplifies this job!

After selecting USB Storage Devices and Preview, you are provided a listing of available systems to choose from.

After selecting the system and clicking submit, Registry Recon generates a very nice report, which can then be printed, or exported into a number of different formats.

Network forensics have become increasingly important in the corporate world. This software application provides a very nice layout in determining TCP/IP addresses and locations in which the user may have used a laptop computer.

In Conclusion

In closing, in a review such as this, it’s impossible to highlight every feature of an application, but the primary features have been discussed here. Although there are numerous capabilities that make this product outstanding, the number one feature of Registry Recon that makes it a premier piece of software is its ability to retrieve registry data from previous installations, or even, in this case, registry data from a forensic image stored on a hard drive with an active operating system. A close second is the ability to quickly obtain a report of USB devices that have been connected to the system.

Arsenal Recon has priced Registry Recon at a competitive price of $599, and I believe it’s well worth the price.

About The Company

The philosophy of president Mark Spencer is “Don’t settle for the easy way, strive for the right way.” Arsenal Recon employs “world-class” developers who, in their quest to dig deeper, got tired of waiting for solutions to meet their needs – so they developed their own.

We have recently started setting up resellers as we prepare to launch new products. The latest list of resellers can be found at ArsenalRecon.com/resellers. For potential customers in territories not yet represented by resellers (which includes the US and UK), our products can be purchased online via a link at the bottom of our Resellers page. We are confident that once digital forensics practitioners experience how unique and powerful Registry Recon is, they will be quite excited by what we are about to launch!

About The Reviewer

Cheryl Purdy is full-time CIT faculty at Owensboro Community and Technical College in Owensboro, KY. Her specialties include Network Administration, Information Security, and Digital Forensics. In addition, she is a sworn deputy with Daviess County Sheriff’s Department where she is a digital forensic examiner. And she is on loan one day each week from the college to Owensboro Police Department for digital forensic examinations. She holds a bachelor’s degree in Mathematics and an MBA with emphasis in Computer Information Systems. She is CompTIA A+ Certified, holds Cisco CCNA and CCAI certifications and is an AccessData Certified Examiner (ACE) and an AccessData Mobile Examiner (AME).

Leave a Comment