HBIN Recon

HBIN Recon

 

HBIN Recon identifies and parses Windows Registry hive bins (hbins) from any input. Hive bins are essentially the building blocks of Registry hives. Examples of HBIN Recon input include healthy Registry hives, fragmented hives, hive transaction logs, Transactional Registry (TxR) files, compressed hive bins which can be found in swap files and elsewhere, hibernation slack (first processed by Hibernation Recon), file slack, and unallocated space. HBIN Recon is a surgical tool which is useful not only with testing and verification related to Registry data, but in uncovering valuable data not accessible using other methods – for example, HBIN Recon runs various “Hunter” modules during processing which extract/decode/decrypt BAM, SECURITY secrets and cache entries, Syscache, and UserAssist information within individual hive bins.