March 16, 2020
The workflow for launching virtual machines has been significantly improved in Arsenal Image Mounter v3.1.101! You will now see a single dialog box (rather than a series of prompts) which consolidates important options related to launching virtual machines. For example, we found in some of our recent casework that various types of networking isolation (beyond complete isolation) can come in quite useful, so you can now choose to have networking disconnected, shared between VMs, shared between VMs and host, or set to the default switch with external NAT.
Watch us launch a domain controller and a workstation into virtual machines, allowing them to communicate with each other, so that we can bypass the domain controller’s administrative password, reset a user’s Active Directory password, and finally access the user’s protected content on their workstation – all without knowing any passwords!
We have added a BitLocker menu option after various feature requests and publishing our Insights article BitLocker for DFIR – Part I. The new BitLocker functions (and whether they apply to AIM’s “Free Mode” or “Professional Mode”) are:
Unlock BitLocker-protected volumes (Free Mode)
Fully decrypt BitLocker-protected volumes (Free Mode)
Disable/suspend BitLocker-protected volumes (Free Mode)
Save as fully decrypted image file (Professional Mode)
We suspect that many of our customers will be using AIM to save fully decrypted BitLocker volumes to new image files, as quite a bit of both time and disk space will be saved over some of the workflows currently used to deal with BitLocker volumes. We recommend that forensic images be mounted read-only before saving their fully-decrypted BitLocker volumes to new image files.
Watch this video and see how easy, and how fast, we have made saving a fully decrypted BitLocker-protected volume to a new disk image!
Recent casework taught us that some people are very, very fond of creating Hyper-V checkpoints, so we have improved AIM’s ability to handle them. Simply point AIM directly at a Hyper-V checkpoint (.avhd or .avhdx file extension) and the virtual machine disk will be quickly reconstituted according to the checkpoint data you selected.
You can see us mount three Hyper-V checkpoints and compare some of their contents in this video.
You can see us mount two Hyper-V checkpoints and launch them into virtual machines in this video.
Windows file system driver bypass mode exposes more NTFS metadata and streams. For example, NTFS streams are now placed in the [METADATA] folder at the root of each volume. You will find the entire volume’s folder structure replicated here, and within each folder you will find the associated streams using the naming convention (STREAMNAME)..(STREAMTYPE). You can also find concatenated stream data for the entire volume at the root of the [METADATA] folder, using the naming convention [(STREAMNAME)]..[(STREAMTYPE)]. The streams currently exposed are $OBJECT_ID, $INDEX_ROOT, $INDEX_ALLOCATION, $EA, and $LOGGED_UTILITY_STREAM.
When dealing with NTFS file systems, Windows file system driver bypass mode no longer displays deleted files whose contents have been completely overwritten in the [DELETED] folder. You will now find only deleted files whose contents have not been completely overwritten in the [DELETED] folder, with their filenames appended (unless none of their clusters have been reallocated, in which case they will remain as is) to identify what percentage of their clusters have not yet been reallocated. Also, orphans will be displayed within folders using the naming convention MFT-(#)_SEQ-(#).
Windows file system driver bypass mode now has experimental support for exFAT.
AIM now supports Open Virtual Appliance (OVA) virtual machine disk images directly.
Many other updates have been made to the latest AIM, including improvements to the fake MBR feature, the ability to quickly toggle between disks being online and read-only or writable, enhancements to AIM Virtual Machine Tools (further armoring injection, etc.), improvements to FAT32 and experimental ext2/3/4 handling in Windows file system driver bypass mode, faster startup time, additional CLI functionality, a new CLI readme, various performance enhancements, and more.
Please make sure to check out the readmes included with AIM to get a better understanding of both existing and new functionality.
You can always find the latest public version of Arsenal Image Mounter on our Downloads page and you can purchase an Arsenal subscription, to enable the full functionality of not only AIM but all our other tools, here.
We hope you enjoy this latest version of AIM, and please let us know what you would like to see in future versions!
I am announcing today, thanks to some gentle nudging from my team, that Arsenal is dramatically expanding our educational program. We are now providing free subscriptions each semester not only to professors at colleges and universities, but to students as well.
Digital forensics practitioners may not be aware of the nuances of what happens when introducing various BitLocker activities into the mix of hibernation and in-file TRIM.
Once you think through the implications of what can be done not only with multiple document versions extracted from FSD files as ODC Recon has always done, but what can be done with the granular revision information that can be found within FSD files and temporary collaboration data, you should be having a “lean back in the chair” moment.
Join our mailing list to arm yourself with updates about Arsenal tools, training, and research. Our mailing list is double opt-in so you will need to check your email and confirm your subscription before receiving our mailings.
or (617) 277-3625
Terms & Conditions