FAQ

Here are some common questions about Arsenal Products.

Registry Recon

System Requirements

Registry Recon requires Microsoft Windows 7 or later, .NET 4, and the Visual C++ 2010 Redistributable Package (x86/x64).

What is the Microsoft Windows Registry?

The Registry is a complex ecosystem, in database form, containing information related to hardware, software, and users on computer systems running Microsoft Windows. At a very basic level, the Registry is composed of “keys” and “values” which are similar in some ways to folders and files. Analysis of this information reveals the names of recently accessed files when applications were last run, who attached removable storage devices, and much more. The Registry is continually referenced during Windows operation so large volumes of Registry data can always be found both on disk and in live memory.

What are the Recon Registries and Recon View?

Recon Registries are all the Registries rebuilt by Registry Recon. Recon View is our method of showing you all the values within them in a unique and historical fashion, with seamless access to all instances of those values if you so desire.

What kinds of evidence can be added to Registry Recon?

Registry Recon supports adding forensic images in EnCase (E01) and raw (dd) formats, VHD disk images, physically mounted slave drives, and the contents of directories as evidence.

I am a student and would like to try Registry Recon. Where can I find sample evidence?

You can find sample evidence herehere, and here.

How Do Recon Registries Get Their Name?

If a full set of hives (particularly System and Software) are available for any particular Registry, its Recon Registries name will include the system name, Windows version, and install date. If a System hive is available, but a Software hive is not, the name will include the system name and Machine Security ID (“MSID”). If a Software hive is available, but a System hive is not, the name will include the Windows version and install date. If both System and Software hives are missing, the name will simply include an MSID.

Can Registry Recon resurrect registries if they have been overwritten?

It’s important to keep in mind that in the context of computer forensics, “deleted” and “overwritten” are two very different things. Registry Recon is often very successful rebuilding Registries which have been deleted and only exist in unallocated (deleted) space. Registry Recon cannot however rebuild Registries if they have been overwritten – for example, if a data scrubbing tool has been used to overwrite unallocated space.

Where can I get the latest version of Registry Recon?

You can get the latest version of Registry Recon from our Downloads page.

How can I license Registry Recon on an offline workstation?

If you want your air-gapped workstation properly licensed for Registry Recon, please:

  • Open Registry Recon and enter the license code you were given
  • Upon realizing that no Internet connection is available, Registry Recon will save a “.LIC” file to your ProgramData\ArsenalRecon folder
  • On a workstation with Internet access, go to our Offline Activation page and upload the “.LIC” file.
  • Finally, copy the CDM file you receive to your ProgramData\ArsenalRecon folder

Your air-gapped workstation is now ready to run Registry Recon!

I had trouble adding evidence to Registry Recon, what is wrong?

Certain computer forensics applications can interfere with physical drives being added as evidence to Registry Recon, so Arsenal recommends refraining from their use while Adding Evidence.

What updates are on the way?

We are working on a large number of updates which include support for live memory captures, greatly improving searching, bookmarking, and reporting functionality, and performance tuning.

Hibernation Recon

System Requirements

Hibernation Recon requires Microsoft Windows 8 or later.

How can I run the command line interface version of Hibernation Recon?

Running Hibernation Recon from the Windows console is quite simple (you can see all switches by simply running “HibRec”):

HibRec /HiberFill=(FullPath)

What are the "Legacy" and "Modern" hibernation formats?

Legacy hibernation format, used by Windows XP, Vista, and 7, applies XPRESS compression to hibernation data. Modern hibernation format, used by Windows 8/8.1 and 10, applies XPRESS compression with Huffman encoding to hibernation data.

What are the output files created by Hibernation Recon?
Output Filename Description
ActiveMemory.bin Active memory decompressed & reconstructed
DecompressedSlackLegacy.bin All levels of slack (Legacy format) decompressed & placed in one output file
DecompressedSlackModern.bin All levels of slack (Modern format) decompressed & placed in in one output file
DecompressedSlackLevels/
DecompressedSlackLevelXXXLegacy.bin
Slack (Legacy format) decompressed & placed in multiple output files by slack level
DecompressedSlackLevels/
DecompressedSlackLevelXXXModern.bin
Slack (Modern format) decompressed & placed in multiple output files by slack level
RawSlackLegacy.bin Raw slack (Legacy format) from all slack levels placed in one output file
RawSlackModern.bin Raw slack (Modern format) from all slack levels placed in one output file
RawSlackChunks/RawSlackChunk_(Decimal Offset)_(Hex_Offset).bin Raw slack placed in multiple output files by chunk
NonZeroAfterValidSlack.bin Non-zero data after all valid levels of slack
AllSlack.bin All levels of slack (Modern & Legacy formats) decompressed, raw, and non-zero in one output file
Indx_I30_Entries.csv Indexed folder content (a/k/a $I30 data) from active and slack space of NTFS INDX records
Indx_ObjIdO_Entries.csv Indexes of linked files (a/k/a $O data) from active and slack space of NTFS INDX records
HibRec.log Hibernation Recon log file
What can I do with the output from Hibernation Recon?

You can load decompressed and reconstructed memory (ActiveMemory.bin) into your memory forensics toolkits and run your other tools against all the output from Hibernation Recon to extract many kinds of artifacts. We will begin adding artifact recovery to the next major version of Hibernation Recon.

 

Do I need an Internet connection for Hibernation Recon licensing?

You only need an Internet connection for Hibernation Recon when you initially enter your license code and when you renew your license. If you cannot connect to the Internet, see the air-gapped workstation instructions below.

How can I license Hibernation Recon on an offline workstation?

If you want your air-gapped workstation properly licensed for Hibernation Recon, please:

  • Open Hibernation Recon and enter the license code you were given
  • Upon realizing that no Internet connection is available, Hibernation Recon will save a “.LIC” file to your ProgramData\ArsenalRecon folder
  • On a workstation with Internet access, go to our Offline Activation page and upload the “.LIC” file.
  • Finally, copy the CDM file you receive to your ProgramData\ArsenalRecon folder

Your air-gapped workstation is now ready to run Hibernation Recon!

What are some examples of problematic hibernation files?

Hibernation Recon does not currently support the processing of BitLocker, TPM-impacted, or empty (yes, we had to say that!) hibernation files. If you find that Hibernation Recon has not processed your hibernation file, please determine whether BitLocker and/or TPM is in play and whether the file contains any significant volume of non-zero data. If you are still unsure why Hibernation Recon has not processed a particular hibernation file, please contact support and we will assist you.

How can hibernation files be zeroed out?

Windows hibernation files are essentially zeroed out when the ClearPageFileAtShutdown Registry setting is enabled or after Windows 8/8.1 and 10 resumes on SSDs.

What impact does Fast Boot/Fast Startup have on Windows hibernation?

Windows 8/8.1 and Windows 10 normally have “Fast Boot” or “Fast Startup” functionality (hereafter “Fast Boot”) enabled by default. Windows shutdowns on a Fast Boot enabled system will write kernel memory (filesystem drivers, other drivers, Registry data, etc.), all system services that normally run in background, and other user mode processes that do not belong to any specific user session to the hibernation file. Although all user sessions are logged out before this writing to the hibernation file occurs, much more than kernel memory is taken into account. Of course, a “normal” or “complete” hibernation when a user is logged into Windows will result in much more data being written to the hibernation file.

What kinds of advanced NTFS metadata recovery does Hibernation Recon provide?

Hibernation Recon currently supports the extraction and human-friendly decoding of NTFS INDX data. More specifically, we are targeting INDX records containing indexed folder content (a/k/a $I30 data normally found in $I30 metafiles) and indexes of linked files (a/k/a $O data, normally found in $O metafiles, which contains Object IDs or Object Identifiers). Of course, in true Arsenal fashion, we do not only exploit the active space within recovered INDX records but their slack space as well.

How would you describe Object IDs?

NTFS supports the use of “object identifiers” (also known as OBJECT_ID attributes or Object IDs), which improves the ability of the Microsoft Windows operating system to track files in situations that can include renaming and moving (but not copying) those files. Object identifiers can be appended to a file’s $MFT record when a file is moved, created, or first opened. Object identifiers do not “travel” with files to removable storage devices, but object identifiers can be created on removable storage devices when files are first moved to, created on, or first opened there. It should be noted that whether Object IDs are first appended to a file’s $MFT record when the file is created or first opened can be dependent upon the application that created or first opened it. You can learn more about how to apply Object IDs in your analysis by reading Harry Parsonage’s The Meaning of LIFE document.

Coming Soon

All subscription users are eligible for software updates for the duration of their subscription. Legacy license holders are eligible for updates for the duration of their SMS. We continue to work on more aggressive NTFS metadata recovery, hibernation carving, and other features!

Arsenal Image Mounter

Why is Arsenal Image Mounter different than other disk image mounting solutions?

Many disk image mounting solutions mount the contents of images in Windows as shares or partitions (rather than “complete” disks), which limits their usefulness. Arsenal Image Mounter is the first and only open source solution for mounting the contents of disk images as complete disks in Windows. We have also developed a significant amount of functionality that is particularly useful to the digital forensics and incident response community.

What are the requirements for running Arsenal Image Mounter?

Arsenal strongly recommends running Arsenal Image Mounter on Windows 8.1/10 (and Server 2012 R2/2016) x64. Most, but not all, AIM functionality is available on Vista/7/8 and Server 2012 x64 if .NET 4.5 is installed. Most, but not all, AIM functionality is available on both x64 and x86 versions of Vista/7/8 (and Server 2012 x64) when specifically using Arsenal Image Mounter CLI (if .NET 4.0 is installed) or Arsenal Image Mounter Low Level. Significant AIM functionality is unavailable in Windows versions prior to Vista – so while Arsenal Image Mounter CLI can be run on XP with .NET 4.0, and Arsenal Image Mounter Low Level can be run (theoretically) on 2000 onward, Arsenal does not support these older versions of Windows due to the loss of functionality.

How can I increase performance from disk images mounted by Arsenal Image Mounter?

Storing disk images on the fastest possible storage media is the most efficient way of increasing performance from disk images mounted by Arsenal Image Mounter. Here are benchmarks from launching a Windows 10 BitLockered disk image (184GB in size, E01 format) into a virtual machine with AIM (all benchmark times are from clicking Launch VM through Windows logon and seeing a user’s Desktop), which demonstrate the drastic differences in performance between disk images stored on hard disk drives (HDDs) and solid-state drives (SSDs):

 

TEST RESULT
1 Mounted unlocked BitLockered disk image from internal HDD – 4-6 minutes
2 Mounted unlocked BitLockered disk image from internal SSD – 2-3 minutes
3 Mounted fully decrypted BitLockered disk mage from internal HDD (full decryption took 40-45 minutes) – 3-4 minutes
4 Mounted fully decrypted BitLockered disk image from internal SSD (full decryption took 10-15 minutes) – 1 minute
What file systems does Arsenal Image Mounter support?

When mounting disk images using the “Read only…”, “Write temporary…”, and “Write original…” mount options, Arsenal Image Mounter essentially “hands off” the contents of disk images to Windows as if they were real SCSI disks, so the file system drivers currently installed on Windows will be used as necessary. Arsenal has used NTFS, FAT32, ReFS, exFAT, HFS+, UFS, and EXT3 file systems contained within AIM-mounted disks successfully when the appropriate file system drivers were installed. AIM also supports bypassing Windows file system drivers and using DiscUtils file system drivers via the “Windows file system driver bypass” mount option.

What disk image formats does Arsenal Image Mounter support?
  • Raw (dd)
  • Advanced Forensics Format 4 (AFF4) 
  • EnCase (E01 and Ex01 if libewf is available)
  • Virtual Machine Disk Files (VHD, VDI, XVA, VMDK if discutils is available)
What do you mean when you use the phrase "disk images?"

When we use the phrase “disk images” we are using it loosely, in the sense that we are referring to images containing complete disks or partitions, whether they are in raw, virtual machine, or forensic formats.

Why are some files and folders inaccessible to me after mounting a disk image with Arsenal Image Mounter?

Arsenal Image Mounter passes the contents of disk images to Windows as if they were complete disks when using the “Read only…”, “Write temporary…”, and “Write original…” mount options. Once AIM has passed the contents of disk images mounted in these modes to Windows, the file system drivers you currently have installed take over and caveats like difficulty accessing protected files and folders may apply.

Is there a command-line interface version of Arsenal Image Mounter?

Yes –”Arsenal Image Mounter CLI” is a .NET 4.0 tool that provides most of Arsenal Image Mounter’s functionality. The command “AIM_CLI /?” displays basic syntax for using Arsenal Image Mounter CLI. We have also released “Arsenal Image Mounter Low Level” which does not use .NET and provides more low level access to the AIM driver. The command “AIM_LL /?” displays basic syntax for using Arsenal Image Mounter Low Level.

How can I or my organization contribute to Arsenal Image Mounter?

If Arsenal Image Mounter has become a valuable part of your toolkit, please let your colleagues in digital forensics know. We would also appreciate knowing how you use AIM and if you have any suggestions for future versions. If you or your organization have used AIM source code, APIs, and/or executables in open-source or commercial projects, please make sure you are complying with our licensing requirements. Commercial licensing of AIM source code, APIs, and/or executables helps us offset the cost of continued development, both in terms of Free and Professional Mode functionality.

What does "Create removable disk device" in the "Mount Options" screen do?

This function essentially emulates the attachment of a USB thumb drive. We have heard that it facilitates the mounting of images containing partitions rather than disks, even though Arsenal Image Mounter was designed to mount disks specifically. Characteristics (and limitations) of using this function include:

  • Windows (prior to Windows 10 Build 1703) will only identify and use the first partition on the image, even if the image contains more than one partition
  • SAN policies such as requiring new devices to be mounted offline do not apply
  • Drive letters are always assigned even if automatic drive letter assignment is turned off
  • Windows identifies and uses file systems even for single-volume images that have no partition table
  •  Inability to interact with Volume Shadow Copies natively
Do I need an Internet connection for Arsenal Image Mounter licensing?

You only need an Internet connection for Arsenal Image Mounter when you initially enter your license code and when you renew your license. If you cannot connect to the Internet, please see “How can I license Arsenal Image Mounter on an offline workstation?” below.

How can I license Arsenal Image Mounter on an offline workstation?

If you want your air-gapped workstation properly licensed for Arsenal Image Mounter, please:

  1. Open Arsenal Image Mounter and enter the license code you were given. Upon realizing that no Internet connection is available, Arsenal Image Mounter will save a “.LIC” file to your ProgramData\ArsenalRecon folder
  2. On a workstation with Internet access, go to our Offline Activation page at https://www.softworkz.com/offline/offline.aspx and upload the “.LIC” file. 
  3. Finally, copy the CDM file you receive to your ProgramData\ArsenalRecon folder

Your air-gapped workstation is now ready to run Arsenal Image Mounter!

How can I mount and launch virtual machines from disk images containing BitLocker volumes?

When you use Arsenal Image Mounter to mount a disk image containing BitLocker volumes, Windows will recognize those volumes and either ask to unlock them with a key (assuming they were in a locked state) or it will begin real-time decryption without requiring any user input (assuming they were in a disabled or suspended state.) There are a variety of ways in which “BitLockered disk images” (how Arsenal refers to disk images containing one or more BitLocker volumes) can be launched into virtual machines.

Here are (3) examples of workflows to launch BitLockered disk images into virtual machines:

This workflow is what we recommend if you would like maximum performance from the virtual machine:

  1. Use AIM to mount the disk image containing one or more BitLockered volumes in write-temporary mode
  2. Use Windows on your forensic workstation to unlock the BitLockered volume(s) (if the Windows dialog for unlocking goes away, double-click on the BitLockered volume(s) to bring it up again)
  3. Use Windows on your forensic workstation to fully decrypt* (via “manage-bde -off (Volume Letter:)” at a command prompt), not just unlock, the BitLockered volume(s)
  4. Use AIM’s Launch VM feature to launch a virtual machine
  5. Run AIM Virtual Machine Tools by selecting the Ease of Access icon and use password bypass, etc. as desired

* By fully decrypt, we are referring to turning BitLocker off (fully decrypting all the contents of the BitLocker volume) after you have mounted and unlocked the disk image with Arsenal Image Mounter in temporary-write mode. You can check on the status of a full BitLocker decryption by using “manage-bde -status Volume Letter:” at a command prompt. Unlocking (rather than fully decrypting) BitLocker only results in real-time decryption of the BitLocker volume contents as necessary, rather than full decryption.

This workflow is what we recommend for fastest access to the virtual machine (as there is no wait for full decryption):

  1. Use AIM to mount the disk image containing one or more BitLockered volumes in write-temporary mode
  2. Use Windows on your forensic workstation to unlock the BitLockered volume(s)
  3. Use AIM’s Launch VM feature to launch a virtual machine (when asked, allow AIM to disable* BitLocker encryption and inject AIM Virtual Machine Tools) 
  4. Run AIM Virtual Machine Tools by selecting the Ease of Access icon and use password bypass, etc. as desired

* By disable (a/k/a suspend), we are referring to exposing the BitLockered volume’s encryption key in the clear (the equivalent of “manage-bde -protectors -disable (Volume Letter:)”), turning off any volume protection.

This workflow we do not recommend, because AIM Virtual Machine Tools will not be injected and you will be on your own in terms of logging in to any Windows accounts:

  1. Use AIM to mount the disk image containing one or more BitLockered volumes in write-temporary mode
  2. Do not unlock BitLocker
  3. Use AIM’s Launch VM feature to launch a virtual machine (without allowing AIM to unlock and disable BitLocker encryption)
Can I use Arsenal Image Mounter to mount Volume Shadow Copies (VSCs) in Windows natively?

Yes, you can enable Arsenal Image Mounter’s “Professional Mode” to access VSC mounting functionality and choose to mount the contents of VSCs with either the Windows or DiscUtils NTFS drivers, or you can leverage AIM’s “Free Mode” image mounting functionality along with other tools such as Eric Zimmerman’s VSCMount at https://ericzimmerman.github.io/#!index.md or as described on David Cowen’s blog at http://www.hecfblog.com/2014/02/daily-blog-240-arsenal-image-mounter.html.

How can I release or attach my mouse from a virtual machine launched by AIM?

You can release your mouse from Hyper-V by using the keyboard shortcut CTRL-ALT-LEFT ARROW. In some cases you may find that clicking within the Hyper-V virtual machine does not immediately attach your mouse, but if you wait until the operating system within the virtual machine is ready for input (in other words, it’s not busy!) you will then be able to attach your mouse. More keyboard shortcuts can be found at https://blogs.msdn.microsoft.com/virtual_pc_guy/2008/01/14/virtual-machine-connection-key-combinations-with-hyper-v.

Can I use Arsenal Image Mounter to decrypt full-disk and volume encryption within disk images?
Yes, Arsenal Image Mounter is used frequently for this purpose. You can read more about the general process on David Cowen’s blog at http://www.hecfblog.com/2014/03/daily-blog-263-decrypting-images-with.html. You can read more about the specific process involved with decrypting Apple FileVault encrypted volumes on Yogesh Khatri’s blog at http://www.swiftforensics.com/2013/03/decrypting-apple-filevault-full-volume.html.
Are you having trouble booting decrypted BitLocker volumes?

See Adam Bridge’s excellent blog post on modifying an NTFS volume’s Volume Boot Record (VBR) using Arsenal Image Mounter’s “Write temporary” mode at https://www.contextis.com/resources/blog/making-ntfs-volume-mountable-tinkering-vbr/.

How can I fix AIM’s drop-down menus from flying out beyond the GUI’s borders?

This behavior may be related to Windows Presentation Framework and “handedness.” Your handedness setting can be found by hitting Windows key+R, then pasting in “shell:::{80F3F1D5-FECA-45F3-BC32-752C152E456E}”. If your handedness setting is “Right-handed” you may want to change it to “Left-handed”.

Will using Hyper-V's "Enhanced Session Mode" cause any problems with Windows virtual machines?

Potentially, yes. We do not recommend using Hyper-V’s Enhanced Session Mode (essentially using Remote Desktop to connect to the virtual machine) because unexpected policy issues may surface – for example, accounts may be prohibited from remote and password-less logons. If you are booting a virtual machine and see the Enhanced Session Mode dialog asking about screen resolution, just exit that dialog and you will be returned to direct console mode.

Is it possible to deploy Arsenal Image Mounter unattended?
To some extent, yes. We can provide customers with an installation package containing the Arsenal Image Mounter driver and the AIM CLI application, which can be installed silently depending on circumstances. While the installation will be silent in terms of Arsenal Image Mounter itself, it may not be silent in terms of Windows due to policy – for example, users may need to confirm that they trust drivers from Arsenal.
Is there an Application Programming Interface (API)?

Yes – Arsenal Image Mounter provides both .NET and non-.NET APIs. You can find these APIs on our GitHub page at https://github.com/ArsenalRecon/Arsenal-Image-Mounter/tree/master/API.

What programming languages have been used to build Arsenal Image Mounter?

Arsenal Image Mounter’s Storport miniport driver is written in C and its user mode API library is written in VB.NET, which facilitates easy integration with .NET 4.0 applications.

Where can I find the source code?

Arsenal Image Mounter source code can be found on GitHub at https://github.com/ArsenalRecon/Arsenal-Image-Mounter.

Use and License
We chose a dual-license for Arsenal Image Mounter (more specifically, Arsenal Image Mounter’s source code, APIs, and executables) to allow for royalty-free use in open source projects, but require financial support from commercial projects.

Arsenal Consulting, Inc. (d/b/a Arsenal Recon) retains the copyright to Arsenal Image Mounter, including the Arsenal Image Mounter source code, APIs, and executables, being made available under terms of the Affero General Public License v3. Arsenal Image Mounter source code, APIs, and executables may be used in projects that are licensed so as to be compatible with AGPL v3. If your project is not licensed under an AGPL v3 compatible license and you would like to use Arsenal Image Mounter source code, APIs, and/or executables, contact us (sales@ArsenalRecon.com) to obtain alternative licensing.

Contributors to Arsenal Image Mounter must sign the Arsenal Contributor Agreement (“ACA”). The ACA gives Arsenal and the contributor joint copyright interests in the source code.

Chelsea, Massachusetts

sales@ArsenalRecon.com

(617) ARSENAL

or (617) 277-3625

Site Map

\

Home

\

Products

\

Pricing

\

Training

\

Testimonials

\

Insights

\

Contact

\

FAQ

Legal

\

Privacy Policy

\

Terms & Conditions

\

Cookie Policy

Follow Us

LinkedIn

Twitter

Facebook