hbin registry viewe...
 
Notifications
Clear all

hbin registry viewer

5 Posts
5 Users
0 Likes
1,165 Views
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
Topic starter
 

I'm looking for some way to decode the data from a partial registry file, in this case the hbin block.
I've managed to carve them out and they have keywords I'm interested in but I'm struggling to link them back to their key.
Any ideas?

 
Posted : 28/10/2015 5:55 pm
(@hc4n6)
Posts: 19
Active Member
 

I've just had a quick look and found this

http//sentinelchicken.com/data/TheWindowsNTRegistryFileFormat.pdf

I don't know how complete your carve is but if you can decode some of the information (following the linked paper or others) then that would help.

Another idea, from the top of my head, would be to replicate the suspected software / configuration / action that has caused the keyword to be in there in a test machine and then acquire HBIN blocks using the same carving method and compare the key indexes etc.

I am interested in how far you get on this one.

Good luck!

 
Posted : 28/10/2015 7:34 pm
(@thefuf)
Posts: 262
Reputable Member
 

I'm looking for some way to decode the data from a partial registry file, in this case the hbin block.
I've managed to carve them out and they have keywords I'm interested in but I'm struggling to link them back to their key.
Any ideas?

This is not going to be easy, because Windows registry entities may be split across different hive bins. If you have a damaged registry file, it's easier to work with it instead of extracting hive bins and trying to make sense of them.

I maintain the specification of Windows registry files, you can find it here. Look at the structures used to store/reference the data (key value and big data records) and how they are referenced by key nodes (key values list records), and how key nodes reference parent key nodes. Then try to go backwards and link data you found with all relevant structures (since you have carved hive bins only, you can't deal with relevant offsets of structures directly, but fortunately hive bins have the offset field in the header).

If you need any help, ask here -)

 
Posted : 28/10/2015 8:49 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I've run into this situation before, and I've used the information from "Windows Registry Forensics" and a hex editor, and a little code, to give me what I needed.

 
Posted : 02/11/2015 11:46 pm
EricZimmerman
(@ericzimmerman)
Posts: 222
Estimable Member
 

its possible to decode the data in there, but it will most likely be a bunch of value and key records that may (but most likely not) be related to each other. you can get timestamps and other data out of it, but for the most part it will just be fragments, especially if you only have one hbin to go on.

if you want to understand all the record types and what not, start here

http//binaryforay.blogspot.com/

if you want more details please let me know, but my blog explains everything about the Registry with graphical examples and whatnot.

 
Posted : 26/11/2015 12:17 am
Share: