August 12, 2020
Arsenal Image Mounter’s Windows authentication bypass is already more powerful than any other tools we are aware of, but that has not stopped us from continuing to push boundaries. We have been working aggressively for the last month on an extension to our Windows authentication bypass that some of our colleagues in digital forensics will find quite shocking. While we continue this work, we have decided to launch another version of AIM with some new features requested by our customers.
AIM’s Volume Shadow Copy (VSC) mounting now supports mounting VSCs as “complete” disks in write-temporary mode on Windows.
Did you notice what was happening with that last screenshot? It looks like two of the VSCs have been launched into virtual machines? Yes, they have – among other things, this feature allows VSCs to be launched directly into virtual machines! Check out this video:
AIM’s Windows File System Driver Bypass mode now exposes concatenated unallocated and slack space on NTFS volumes as [UNALLOCATED] and [SLACK] “files” at the root of each volume. We have found this to be a time saver in our casework.
AIM can now be configured to launch automatically at logon and to automatically remount disk images. Again, time savers in our (and hopefully your) casework.
In addition to the features already mentioned, AIM v3.2.128 includes a security update, updated third-party libraries, minor bug fixes, and an updated readme.
Until next time… good hunting, and please help us spread the word about AIM and our other tools!
You have followed your standard operating procedure and obtained a forensic image from a laptop’s solid state drive. After making a working copy of the forensic image you open it in one of your digital forensics tools… but there’s a problem.
While we recommend that Hyper-V and AIM be run on “bare metal” (particularly when launching virtual machines), we have recently heard from our customers that they have successfully run both Hyper-V and AIM within VMware.
This article will briefly summarize the features of AIM’s Free and Professional Modes, explain the requirements for running AIM, and demonstrate how to launch virtual machines and mount Volume Shadow Copies (VSCs) from AIM-mounted disk images.
Join our mailing list to arm yourself with updates about Arsenal tools, training, and research. Our mailing list is double opt-in so you will need to check your email and confirm your subscription before receiving our mailings.
or (617) 277-3625
Terms & Conditions