±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35880
New Yesterday: 1 Visitors: 121

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

hbin registry viewer

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

minime2k9
Senior Member
 

hbin registry viewer

Post Posted: Oct 28, 15 18:55

I'm looking for some way to decode the data from a partial registry file, in this case the hbin block.
I've managed to carve them out and they have keywords I'm interested in but I'm struggling to link them back to their key.
Any ideas?  
 
  

hc4n6
Member
 

Re: hbin registry viewer

Post Posted: Oct 28, 15 20:34

I've just had a quick look and found this:

sentinelchicken.com/da...Format.pdf

I don't know how complete your carve is but if you can decode some of the information (following the linked paper or others) then that would help.

Another idea, from the top of my head, would be to replicate the suspected software / configuration / action that has caused the keyword to be in there in a test machine and then acquire HBIN blocks using the same carving method and compare the key indexes etc.

I am interested in how far you get on this one.

Good luck!  
 
  

thefuf
Senior Member
 

Re: hbin registry viewer

Post Posted: Oct 28, 15 21:49

- minime2k9
I'm looking for some way to decode the data from a partial registry file, in this case the hbin block.
I've managed to carve them out and they have keywords I'm interested in but I'm struggling to link them back to their key.
Any ideas?


This is not going to be easy, because Windows registry entities may be split across different hive bins. If you have a damaged registry file, it's easier to work with it instead of extracting hive bins and trying to make sense of them.

I maintain the specification of Windows registry files, you can find it here. Look at the structures used to store/reference the data (key value and big data records) and how they are referenced by key nodes (key values list records), and how key nodes reference parent key nodes. Then try to go backwards and link data you found with all relevant structures (since you have carved hive bins only, you can't deal with relevant offsets of structures directly, but fortunately hive bins have the offset field in the header).

If you need any help, ask here Smile  
 
  

keydet89
Senior Member
 

Re: hbin registry viewer

Post Posted: Nov 03, 15 00:46

I've run into this situation before, and I've used the information from "Windows Registry Forensics" and a hex editor, and a little code, to give me what I needed.  
 
  

EricZimmerman
Senior Member
 

Re: hbin registry viewer

Post Posted: Nov 26, 15 01:17

its possible to decode the data in there, but it will most likely be a bunch of value and key records that may (but most likely not) be related to each other. you can get timestamps and other data out of it, but for the most part it will just be fragments, especially if you only have one hbin to go on.



if you want to understand all the record types and what not, start here

binaryforay.blogspot.com/

if you want more details please let me know, but my blog explains everything about the Registry with graphical examples and whatnot.  
 

Page 1 of 1