We did it!
The Arsenal team has built a remarkable way to access protected content in Windows without having user credentials.
Data Protection API (DPAPI) bypass
AIM now provides digital forensics practitioners with a Data Protection API (DPAPI) bypass, which in concert with our Windows authentication bypass, provides seamless access to protected content in certain situations involving Windows 10. You are probably wondering, what kinds of protected content? How about website, network share, and application credentials? EFS-encrypted files and folders? All without having any credentials from the user.
What if Arsenal Image Mounter was the casino and disk images were the gamblers?
We found that, academically speaking, accessing Data Protection API (DPAPI) protected data on Windows 10 was relatively straightforward in certain situations. We also found that turning this knowledge into something seamless was anything but straightforward. Our team was relentless and forged ahead until we built something extremely powerful, unique, and… seamless.
Think about all the new information you could learn about not only your ongoing cases, but your cold cases as well.
Digital forensics practitioners will soon find that the combination of AIM’s existing Windows authentication bypass with our new DPAPI bypass is amazing.
Here are just some possibilities:
- Display passwords stored by web browsers
- Expose WiFi passwords
- Access EFS-encrypted files and folders
- See Windows password reset questions & answers
- Decrypt Dropbox databases
We are just scratching the surface in terms of what is possible when using AIM to bypass both Windows authentication and DPAPI within electronic evidence.
What will you discover?
Watch Arsenal Image Mounter Demonstrations
Dropbox DB Decryption per DPAPI Bypass
Windows Authentication and DPAPI Bypass Against YubiKey-Protected System
Leveraging New Functionality
Within days of releasing the latest version of AIM to law enforcement, Cst. Derek Frawley of the Kingston Police in Ontario, Canada utilized the DPAPI bypass in a creative and extremely important way.
“After multiple failures over the years launching disk images into virtual machines using a tool popular in law enforcement, I purchased Arsenal Image Mounter… and have found it much more reliable.
I used AIM on a recent case to launch a disk image obtained from a suspect’s laptop into a virtual machine, using both the Windows authentication and DPAPI bypass features. With just a few clicks I was logged into the suspect’s Windows account and viewing his passwords, without having any of his credentials.
Using insight I gained from seeing the suspect’s passwords, I was able to unlock a BitLocker volume he had on another computer. AIM then made it easy to save the unlocked BitLocker volume to a fully-decrypted disk image.
AIM has become a crucial part of my casework.”
Cst. Derek Frawley
Forensic Analyst, Kingston Police
Are you ready for Arsenal Image Mounter Pro?
Arsenal Image Mounter Pro is available with an Arsenal subscription, which includes access to the full functionality of all our tools along with updates and support.
Still not convinced?
“After many unsuccessful attempts to launch forensic images into virtual machines with a popular digital forensics tool, I decided to give Arsenal Image Mounter a try. I’m very glad I did, because I was able to virtualize forensic images from multiple suspects. AIM also bypassed Microsoft cloud account passwords within the virtual machines, so I was able to take valuable screenshots for the US Attorney. In addition, I have found AIM’s multiple methods of Volume Shadow Copy exporting to be useful.”
ICE/Homeland Security Investigation
Read more testimonials.
Please note, we initially released Arsenal Image Mounter v3.3.134 to our law enforcement and military customers and are now releasing it to all our established customers upon request. We will have an even wider release on January 1st.
*Arsenal Recon Subscription lowest pricing is offered at $55.25/month with the purchase of a five (5) year plan, $3,315 at checkout.
or (617) 277-3625
Terms & Conditions