August 12, 2020
Arsenal Image Mounter’s Windows authentication bypass is already more powerful than any other tools we are aware of, but that has not stopped us from continuing to push boundaries. We have been working aggressively for the last month on an extension to our Windows authentication bypass that some of our colleagues in digital forensics will find quite shocking. While we continue this work, we have decided to launch another version of AIM with some new features requested by our customers.
AIM’s Volume Shadow Copy (VSC) mounting now supports mounting VSCs as “complete” disks in write-temporary mode on Windows.
Did you notice what was happening with that last screenshot? It looks like two of the VSCs have been launched into virtual machines? Yes, they have – among other things, this feature allows VSCs to be launched directly into virtual machines! Check out this video:
AIM’s Windows File System Driver Bypass mode now exposes concatenated unallocated and slack space on NTFS volumes as [UNALLOCATED] and [SLACK] “files” at the root of each volume. We have found this to be a time saver in our casework.
AIM can now be configured to launch automatically at logon and to automatically remount disk images. Again, time savers in our (and hopefully your) casework.
In addition to the features already mentioned, AIM v3.2.128 includes a security update, updated third-party libraries, minor bug fixes, and an updated readme.
Until next time… good hunting, and please help us spread the word about AIM and our other tools!
Three months ago I challenged the Arsenal team by suggesting that we could get more creative about how to access protected content in Windows, especially considering Arsenal Image Mounter was already reliably launching disk images into virtual machines and bypassing every type of Windows authentication.
When the United States Army asked us if Arsenal Image Mounter’s Windows authentication bypass could be extended to handle domain accounts protected by smart cards, we were not sure it would be possible… but we knew if it could be done, it would be our team to do it.
The workflow for launching virtual machines has been significantly improved in Arsenal Image Mounter v3.1.101! You will now see a single dialog box (rather than a series of prompts) which consolidates important options related to launching virtual machines.
Join our mailing list to arm yourself with updates about Arsenal tools, training, and research. Our mailing list is double opt-in so you will need to check your email and confirm your subscription before receiving our mailings.
or (617) 277-3625
Terms & Conditions