-
Hibernation Recon
HIBERNATION Recon Look Back in Time Advanced Microsoft Windows® Hibernation Forensics The exploitation of Windows hibernation files to “look back in time” and uncover compelling evidence is crucial to digital forensics practitioners. Hibernation Recon not only supports active memory reconstruction from Windows XP, Vista, 7, 8/8.1, 10, and 11 hibernation files, […]
-
Arsenal Image Mounter
Arsenal Image Mounter Reliable. Powerful. Trusted. Easily Launch Virtual Machines from Disk Images And much, much more… Many Windows®-based disk image mounting solutions mount the contents of disk images as shares or partitions, rather than complete (aka “physical or “real”) disks, which limits their usefulness to digital forensics practitioners and others. […]
-
Registry Recon
Registry Recon Harness huge volumes of Registry information to see how Registries changed over time Registry forensics has long been relegated to analyzing only readily accessible Windows® Registries, often one at a time, in a needlessly time-consuming and archaic way. Registry Recon is not just another Registry parser. Arsenal developed powerful new methods […]
-
HBIN Recon
HBIN Recon HBIN Recon identifies and parses Windows Registry hive bins (hbins) from any input. Hive bins are essentially the building blocks of Registry hives. Examples of HBIN Recon input include healthy Registry hives, fragmented hives, hive transaction logs, Transactional Registry (TxR) files, compressed hive bins which can be found in swap files and […]
-
Hive Recon
Hive Recon Hive Recon extracts Registry hives from Windows hibernation and crash dump files, often extracting hives when other solutions have completely failed and extracting healthier (more intact) hives when other solutions have appeared to run successfully. Hive Recon can also extract hives from memory captures, provided they have already been converted to crash […]
-
ODC Recon
ODC Recon ODC Recon extracts documents and metadata from the Office Document Cache (ODC) by parsing the FSD files contained within each ODC. Individual FSD files often contain not only multiple versions of Office documents, but Office documents which are no longer available elsewhere. ODC Recon was built when Arsenal found no reliable methods […]
-
LevelDB Recon
LevelDB Recon LevelDB Recon parses LevelDB files (ldb, log, and sst extensions) more comprehensively and reliably than other tools we have evaluated. In other words, LevelDB Recon has been designed for maximum exploitation of LevelDB files – ultimately revealing records missed by other methods. LevelDB Recon includes logic to help make sense of the […]
-
Backstage Parser
Backstage Parser Arsenal’s Backstage Parser is a Python tool that can be used to parse the contents of Microsoft Office files found in the “\Users(User)\AppData\Local\Microsoft\Office\16.0\BackstageinAppNavCache” path. David Cowen from C-G Partners blogged in October 2018 (http://www.learndfir.com/2018/10/18/daily-blog-510-office-2016-backstage-artifacts/) about interesting information left behind by the use of Microsoft Office’s “Backstage” view. Arsenal’s Brian Gerdon found the Backstage […]
-
Cybergate Log Decrypt
CyberGate Keylogger Decryption Tool Arsenal’s CyberGate Keylogger Decryption Tool is a python tool that can be used against CyberGate encrypted keylogger files (either whole or in part, provided that the individual record is intact) to decode the cipher text and return the original plaintext that was captured by the RAT. Fragmented entries from the file […]
-
Gmail URL Decoder
Gmail URL Decoder Gmail URL Decoder is an Open Source Python tool that can be used against plaintext or arbitrary raw data files in order to find, extract, and decode information from Gmail URLs related to both the new and legacy Gmail interfaces. Usage Run with python3 (properly tested on 3.6.7 version): usage: GmailURLDecoder.py [-h] […]
-
NetWire Log Decoder
Intro Arsenal’s NetWire Log Decoder carves and parses (a/k/a scans, filters, and decodes) NetWire log data from files or devices. NetWire is a popular multi-platform remote access trojan (RAT) system. NetWire has surveillance functionality which stores keystrokes and other information from victims in log files known as “NetWire logs.” Arsenal has found valuable NetWire log […]
-
Sdba Parser
Intro Arsenal’s Sdba Parser carves and parses (hereafter, parses) Sdba memory pool tags (produced by Windows 7) from any input file. Sdba memory pool tags are related to Windows Application Compatibility Database functionality and seem to be generated each time a new executable (based on analysis of MFT record and sequence numbers) is run. Most […]
-
NwStacks
Project for NetWire Stack Forensics. Please read the article “Forensic Analysis of the NetWire Stack” published in Digital Forensics Magazine Issue 52 (https://www.digitalforensicsmagazine.com) to understand this project. We have analyzed NetWire 1.7 on the following operating systems: Windows 7 32-bit Windows 7 64-bit Windows 8.1 64-bit Windows 10 64-bit Content NwStacks A […]
Arsenal Recon