We are very happy to launch a new version (v2.6.35) of Arsenal Image Mounter (AIM) today! You can get the latest version of AIM (and our other tools) here. We know how popular AIM has become in the digital forensics community (and beyond), so we are continuing to add more powerful functionality to both Free and Professional Modes.
Summary of New Functionality
“Mount directory” – Select a directory to mount as a virtual read-only drive (virtual CD-ROM). Includes “Boot image” option to create a bootable CD/DVD or for use booting a virtual machine. (Professional Mode)
“Mount image / Archives” – Select zip, cab, wim, and tar (raw or gzip or bzip2 compressed) files to mount as virtual read-only drives (virtual CD-ROMs). Note that wim files often contain more than one image, so more than one virtual drive may appear. (Professional Mode)
“Create virtual machine” – Preliminary support for creating a temporary Hyper-V virtual machine that uses the selected AIM-mounted disk. The disk image should be mounted in write temporary mode before using this feature, which is designed to make booting the contents of a disk image in a virtual machine easier. The virtual machine is created with 2 CPUs, 512 MB RAM, two network adapters (not connected by default), one DVD-ROM (without any attached image) and the AIM mounted virtual disk as primary IDE HD. Currently works on Windows 8/8.1/10 (and Server 2012/2012 R2/2016) x64. Requires Hyper-V role. Remember that Hyper-V needs to be run on physical hardware, not within a virtual machine. GPT partitioned disks are not fully supported yet. (Professional Mode)
“Create RAM disk” – Creates a RAM disk with one partition formatted as NTFS. (Free Mode)
“Fake disk signature” – Now creates a random disk signature regardless of the existing disk signature, so mounting several disk images from the same original disk or from a physically-attached disk is no longer a problem in terms of Windows mounting the filesystems contained within them. Also, now works in both read only and write-temporary modes. (Free Mode)
“Replay” – When the write-overlay differencing file already exists from a previous session, users are now asked whether to use the state from the existing differencing file or delete the differencing file and start over using only the original disk image. Currently works with vhd and vmdk virtual machine images only. (Free Mode)
“Read-Only Differencing” – When the write-overlay differencing file cannot be created (e.g. because the disk image is located in a read-only location), the user is now asked for a new location. (Free Mode)
Note: AIM now requires .NET 4.5, so Windows XP support is being dropped. Windows Vista and 7 need to have .NET 4.5 installed, Windows 8 and later already include .NET 4.5.
Arsenal Image Mounter Background
Arsenal Image Mounter was born when we found existing disk image mounting solutions lacking during the development of our premier digital forensics tool Registry Recon. Many disk image mounting solutions mount the contents of images in Windows as shares or partitions (rather than complete disks), which limits their usefulness. Arsenal Image Mounter mounts the contents of disk images as complete disks in Microsoft Windows® by including a virtual SCSI adapter (via a unique Storport miniport driver) which allows users to benefit from disk-specific features in Windows like integration with Disk Manager, access to Volume Shadow Copies, and more. As far as Windows is concerned, the contents of disk images mounted by Arsenal Image Mounter are “real” SCSI disks. Since we had personal experience being in a position where a powerful disk image mounting solution would take our project to the next level, we offer the Arsenal Image Mounter source code and APIs to commercial projects with an appropriate license and to open source projects royalty free.
Please support us, as we work to make maximum exploitation of electronic evidence more accessible, by learning more about the powerful and unique functionality our tools provide. You can learn more about our tools at https://ArsenalRecon.com/#products. Thank you!