March 16, 2020
The workflow for launching virtual machines has been significantly improved in Arsenal Image Mounter v3.1.101! You will now see a single dialog box (rather than a series of prompts) which consolidates important options related to launching virtual machines. For example, we found in some of our recent casework that various types of networking isolation (beyond complete isolation) can come in quite useful, so you can now choose to have networking disconnected, shared between VMs, shared between VMs and host, or set to the default switch with external NAT.
Watch us launch a domain controller and a workstation into virtual machines, allowing them to communicate with each other, so that we can bypass the domain controller’s administrative password, reset a user’s Active Directory password, and finally access the user’s protected content on their workstation – all without knowing any passwords!
We have added a BitLocker menu option after various feature requests and publishing our Insights article BitLocker for DFIR – Part I. The new BitLocker functions (and whether they apply to AIM’s “Free Mode” or “Professional Mode”) are:
Unlock BitLocker-protected volumes (Free Mode)
Fully decrypt BitLocker-protected volumes (Free Mode)
Disable/suspend BitLocker-protected volumes (Free Mode)
Save as fully decrypted image file (Professional Mode)
We suspect that many of our customers will be using AIM to save fully decrypted BitLocker volumes to new image files, as quite a bit of both time and disk space will be saved over some of the workflows currently used to deal with BitLocker volumes. We recommend that forensic images be mounted read-only before saving their fully-decrypted BitLocker volumes to new image files.
Watch this video and see how easy, and how fast, we have made saving a fully decrypted BitLocker-protected volume to a new disk image!
Recent casework taught us that some people are very, very fond of creating Hyper-V checkpoints, so we have improved AIM’s ability to handle them. Simply point AIM directly at a Hyper-V checkpoint (.avhd or .avhdx file extension) and the virtual machine disk will be quickly reconstituted according to the checkpoint data you selected.
You can see us mount three Hyper-V checkpoints and compare some of their contents in this video.
You can see us mount two Hyper-V checkpoints and launch them into virtual machines in this video.
Windows file system driver bypass mode exposes more NTFS metadata and streams. For example, NTFS streams are now placed in the [METADATA] folder at the root of each volume. You will find the entire volume’s folder structure replicated here, and within each folder you will find the associated streams using the naming convention (STREAMNAME)..(STREAMTYPE). You can also find concatenated stream data for the entire volume at the root of the [METADATA] folder, using the naming convention [(STREAMNAME)]..[(STREAMTYPE)]. The streams currently exposed are $OBJECT_ID, $INDEX_ROOT, $INDEX_ALLOCATION, $EA, and $LOGGED_UTILITY_STREAM.
When dealing with NTFS file systems, Windows file system driver bypass mode no longer displays deleted files whose contents have been completely overwritten in the [DELETED] folder. You will now find only deleted files whose contents have not been completely overwritten in the [DELETED] folder, with their filenames appended (unless none of their clusters have been reallocated, in which case they will remain as is) to identify what percentage of their clusters have not yet been reallocated. Also, orphans will be displayed within folders using the naming convention MFT-(#)_SEQ-(#).
Windows file system driver bypass mode now has experimental support for exFAT.
AIM now supports Open Virtual Appliance (OVA) virtual machine disk images directly.
Many other updates have been made to the latest AIM, including improvements to the fake MBR feature, the ability to quickly toggle between disks being online and read-only or writable, enhancements to AIM Virtual Machine Tools (further armoring injection, etc.), improvements to FAT32 and experimental ext2/3/4 handling in Windows file system driver bypass mode, faster startup time, additional CLI functionality, a new CLI readme, various performance enhancements, and more.
Please make sure to check out the readmes included with AIM to get a better understanding of both existing and new functionality.
You can always find the latest public version of Arsenal Image Mounter on our Downloads page and you can purchase an Arsenal subscription, to enable the full functionality of not only AIM but all our other tools, here.
We hope you enjoy this latest version of AIM, and please let us know what you would like to see in future versions!
Arsenal is unlike other digital forensics software vendors in the sense that we are consultants involved in casework first and software developers second. We build tools when we find valuable information being left behind by existing tools and techniques.
In “BitLocker for DFIR – Part I” we provided a quick summary of BitLocker, details regarding the various “states” of BitLocker volumes that we see most often in our casework, and some thoughts on things that are particularly relevant to digital forensics and incident response practitioners. We will now discuss launching virtual machines from BitLockered disk images.
BitLocker is a Full Volume Encryption (FVE) technology introduced by Microsoft in the Ultimate and Enterprise versions of Windows Vista. BitLocker has come a very long way since Vista, becoming quite flexible (some of our colleagues might prefer the word complicated) and secure if used properly.
Join our mailing list to arm yourself with updates about Arsenal tools, training, and research. Our mailing list is double opt-in so you will need to check your email and confirm your subscription before receiving our mailings.
or (617) 277-3625
Terms & Conditions