I'm looking for some way to decode the data from a partial registry file, in this case the hbin block.
I've managed to carve them out and they have keywords I'm interested in but I'm struggling to link them back to their key.
Any ideas?
I've just had a quick look and found this
http//
I don't know how complete your carve is but if you can decode some of the information (following the linked paper or others) then that would help.
Another idea, from the top of my head, would be to replicate the suspected software / configuration / action that has caused the keyword to be in there in a test machine and then acquire HBIN blocks using the same carving method and compare the key indexes etc.
I am interested in how far you get on this one.
Good luck!
I'm looking for some way to decode the data from a partial registry file, in this case the hbin block.
I've managed to carve them out and they have keywords I'm interested in but I'm struggling to link them back to their key.
Any ideas?
This is not going to be easy, because Windows registry entities may be split across different hive bins. If you have a damaged registry file, it's easier to work with it instead of extracting hive bins and trying to make sense of them.
I maintain the specification of Windows registry files, you can find it
If you need any help, ask here -)
I've run into this situation before, and I've used the information from "Windows Registry Forensics" and a hex editor, and a little code, to give me what I needed.
its possible to decode the data in there, but it will most likely be a bunch of value and key records that may (but most likely not) be related to each other. you can get timestamps and other data out of it, but for the most part it will just be fragments, especially if you only have one hbin to go on.
if you want to understand all the record types and what not, start here
http//binaryforay.blogspot.com/
if you want more details please let me know, but my blog explains everything about the Registry with graphical examples and whatnot.