The library doesn't recover some deleted keys and values

Hello.

The bug is here:
https://github.com/EricZimmerman/Registry/blob/1a301f3f237e81cbd2738e444c30e10c76214286/Registry/Other/HBinRecord.cs#L325

If the `remainingData.Length - actualStart < size` condition is met, the deleted item isn't processed. This condition can be true for a valid deleted key/value if its cell has been merged with a preceding one and then the resulting cell is split to hold a subkeys list, so the deleted key/value goes to the slack of this list (i.e., stored after its last item).

Here is an example (this is the SYSTEM hive file from [the 2018 Lone Wolf Scenario](https://digitalcorpora.org/corpora/scenarios/2018-lone-wolf-scenario/), _without_ transaction log files applied):
![hex](https://user-images.githubusercontent.com/7497142/185407691-7f945c3a-552d-4061-8cf7-530286089e16.png)

The remnant cell size field for the deleted key in question, which value is 0x00000178, is too large for the cell containing the subkeys list (the `actualStart` value plus the `size` value point beyond the end of the cell).

Registry Explorer 2.0.0.0 doesn't recover that key:
![RE](https://user-images.githubusercontent.com/7497142/185407795-5328cef8-7661-4bc8-8bdd-12147b44ccd3.png)

The same key can be recovered using [yarp](https://github.com/msuhanov/yarp):
![yarp](https://user-images.githubusercontent.com/7497142/185408374-1b919f4d-1076-4d94-a96d-bf03cdf76731.png)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

The library doesn't recover some deleted keys and values #20

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

The library doesn't recover some deleted keys and values #20

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions