Do you have a question?

Browse our frequently asked questions for answers.

Arsenal Image Mounter Arsenal Image Mounter

Why is Arsenal Image Mounter different than other disk image mounting solutions?

Many disk image mounting solutions mount the contents of disk images in Windows as shares or partitions (rather than "complete" disks), which limits their usefulness. Arsenal Image Mounter is the first and only open source solution for mounting the contents of disk images as complete disks in Windows. We have also developed a significant amount of functionality that is particularly useful to the digital forensics and incident response community.

What are the requirements for running Arsenal Image Mounter?

Arsenal strongly recommends running Arsenal Image Mounter on Windows 10 (version 1703 or later), 11, or Server 2016/2019 x64 with the latest .NET 6 so that all functionality (e.g. launching virtual machines and BitLocker-related functionality) works as intended.

What are some of the key differences between Arsenal Image Mounter’s “Free Mode” and “Professional Mode”?

Free Mode

  • Mount raw, forensic, and virtual machine disk images as complete (a/k/a “real”) disks on Windows

  • Temporary write support with replayable differencing files for all supported disk image formats

  • Save "physically" mounted objects to various disk image formats

  • Identify (with details), unlock, fully decrypt, and disable/suspend BitLocker-protected volumes

  • Access disks, volumes, and Volume Shadow Copies as virtual dd files

  • Virtually mount optical images

  • RAM disk creation with either static or dynamic memory allocation

  • Command-line interface (CLI) executables

  • MBR injection, fake disk signatures, removable disk emulation, and much more

Professional Mode offers all Free Mode functionality plus:

  • Effortlessly launch virtual machines from disk images

  • Extremely powerful Windows authentication and DPAPI bypasses within virtual machines

  • Volume Shadow Copy mounting (standard, with Windows NTFS driver bypass, or as complete disks)

  • Launch virtual machines directly from Volume Shadow Copies

  • Attach to actual physical disks (fixed and removable) to leverage virtual machine launching, VSC mounting, etc.

  • Write mounted disk images to physical disks with optional free space clearing

  • Windows file system driver bypass (FAT, NTFS, ExFAT, HFS+, Ext2/3/4, etc.)

  • Exposure of NTFS metadata, slack, and unallocated in Windows file system driver bypass mode

  • Virtually mount archives and directories

  • Save disk images with fully-decrypted BitLocker volumes

How can I increase performance from disk images mounted by Arsenal Image Mounter?

Storing disk images on the fastest possible storage media is the most efficient way of increasing performance from disk images mounted by Arsenal Image Mounter. Here are benchmarks from launching a Windows 10 disk image (184GB in size, E01 format) into a virtual machine with AIM (all benchmark times are from clicking Launch VM through Windows logon and seeing a user’s Desktop), which demonstrate the drastic differences in performance between disk images stored on hard disk drives (HDDs) and solid-state drives (SSDs):

TEST

RESULT

1

Mounted unlocked BitLockered disk image from internal HDD – 4-6 minutes

2

Mounted unlocked BitLockered disk image from internal SSD – 2-3 minutes

3

Mounted fully decrypted BitLockered disk image from internal HDD (full decryption took 40-45 minutes) – 3-4 minutes

4

Mounted fully decrypted BitLockered disk image from internal SSD (full decryption took 10-15 minutes) – 1 minute


What file systems does Arsenal Image Mounter support?

When mounting disk images using the "Disk Device" mount options, Arsenal Image Mounter essentially "hands off" the contents of disk images to Windows as if they were real SCSI disks, so the file system drivers currently installed on Windows will be used as necessary. Arsenal has used NTFS, FAT32, ReFS, exFAT, HFS+, UFS, and EXT3 file systems contained within AIM-mounted disks successfully when the appropriate file system drivers were installed. AIM also supports bypassing Windows file system drivers and using DiscUtils file system drivers via the "Windows file system driver bypass" mount option.

What disk image formats does Arsenal Image Mounter support?
  • Raw (dd)

  • Advanced Forensics Format 4 (AFF4) if libaff4 is available

  • EnCase (E01 and limited support for Ex01) if libewf is available

  • Virtual Machine Disk Files (VHD, VDI, XVA, VMDK, OVA, qcow, qcow2) and checkpoints (AVHD, AVHDX)

What do you mean when you use the phrase "disk images?"

When we use the phrase "disk images" we are using it loosely, in the sense that we are referring to images containing complete disks or partitions, whether they are in raw, virtual machine, or forensic formats.

Why are some files and folders inaccessible to me after mounting a disk image with Arsenal Image Mounter?

Arsenal Image Mounter passes the contents of disk images to Windows as if they were complete disks when using the "Disk Device" mount options. Once AIM has passed the contents of disk images mounted in these modes to Windows, the file system drivers you currently have installed take over and caveats like difficulty accessing protected files and folders may apply.

What file systems does the Windows file system driver bypass mount option support?

• FAT 12/16/32

• NTFS

Experimental support for:

• Btrfs

• Ext2/3/4 (except with 64 bit header fields used by some of the latest Linux distributions)

• ExFAT

• HFS+

• SquashFs

• UDF

• XFS

Can you describe some of the NTFS-related things exposed by the Windows file system driver bypass mount option as well as any NTFS-related limitations?

• NTFS metafiles (for example, $MFT, $LogFile, $UsnJrnl..$J)

• NTFS Alternate Data Streams (ADS) as files suffixed with their stream names alongside the "normal" files they are associated with

• NTFS streams in the [METADATA] folder at the root of each volume. You will find the entire volume's folder structure replicated here, and within each folder you will find the associated streams using the naming convention (STREAMNAME)..(STREAMTYPE). You can also find concatenated stream data for the entire volume at the root of the [METADATA] folder, using the naming convention [(STREAMNAME)]..[(STREAMTYPE)]. The streams currently exposed are $OBJECTID, $INDEXROOT, $INDEXALLOCATION, $EA, and $LOGGEDUTILITY_STREAM.

• Deleted files which have not been completely overwritten will be displayed in the [DELETED] folder at the root of each volume. Filenames will be appended (unless none of their clusters appear to have been reallocated, in which case they will remain as is) to identify what percentage of their clusters have apparently not been reallocated. If you see "[0pct]" appended to a filename, that indicates a very small number of clusters appear to have been reallocated and the percentage has been rounded down to 0. Also, orphans will be displayed within folders using the naming convention MFT-(#)_SEQ-(#). This functionality is based on the DiscUtils project and is best described as "quick file and folder recovery." Please note that while browsing the contents of the [DELETED] folder you may encounter various kinds of corruption related to deleted files and folders (which will result in the error "The disk structure is corrupted and unreadable.") and that the contents of deleted files from SSDs (as opposed to HDDs) will often be empty.

• File slack, unallocated space, and volume slack are exposed at the root of each volume as [SLACK], [UNALLOCATED], and [VOLUME SLACK] respectively. Please note that the volume slack is related to space between the last cluster of the file system and the end of the volume.

• Support for some of the most recent NTFS features (such as CompactOS) are under development and not currently supported.

What is the best mount mode for the purpose of an offline malware scan?

Generally speaking, the best mount mode for an offline malware scan is Windows file system driver bypass as it will provide the malware scanner with access to files that would not be readily accessible otherwise due to file system security. Please note, you may want to exclude certain “files” that AIM exposes in this mount mode which include [SLACK], [UNALLOCATED], [VOLUME SLACK], and possibly the contents of the [DELETED] folder.

Does Arsenal Image Mounter have command-line functionality?

Yes, please see readmecli.txt for more details. In short, Arsenal Image Mounter CLI (aimcli.exe) is a .NET 4.0 tool that provides most of Arsenal Image Mounter’s core functionality. The command “AIMCLI /?” displays basic syntax for using Arsenal Image Mounter CLI. Arsenal Image Mounter CLI is provided with all versions of Arsenal Image Mounter. Arsenal Image Mounter Low Level (aimll.exe) is a tool that does not use .NET and provides more “low level” access to the Arsenal Image Mounter driver. The command “AIM_LL /?” displays basic syntax for using Arsenal Image Mounter Low Level. Arsenal Image Mounter Low Level is provided directly by Arsenal.

How can I share files, folders, and/or disks with virtual machines launched by Arsenal Image Mounter?

We normally prefer complete isolation of the virtual machines launched by AIM, but there are plenty of situations in which we need to share files, folders, and/or disks with virtual machines. Some methods of sharing include:

• Enabling guest services in AIM's Launch VM options and then enabling Enhanced Session Mode (by selecting "Connect" at the "Display Configuration” dialog on Windows 8+) while the VM is booting, which will allow copy/paste between the host and virtual machine

• Enabling guest services and Enhanced Session Mode as above will also allow USB drives already attached to the host to be attached to the VM, by selecting “Show Options/Local Resources/Local devices and resources/More…” at the Enhanced Session dialog, then under “Drives” selecting which USB drives to attach to the virtual machine

• Using the Hyper-V Settings/SCSI Controller/Hard Drive/Add/Physical hard disk dropdown to add an offline disk to the VM once it has booted (a "disk" can be a real disk, a VHDX, or a RAM disk created by AIM), which will allow the disk to be used exclusively by the VM

• In Generation 1 VMs, using the Hyper-V Settings/IDE Controller/Physical CD/DVD drive dropdown to add a directory or archive mounted by AIM with CD/DVD-ROM emulation to the VM once it has booted, which will allow the disk to be used simultaneously (but read only!) by the host and VM (if you have more than one directory or archive mounted by AIM and would like to switch between them in the VM, use the aforementioned Physical CD/DVD drive dropdown)

• Using AIM's "Attach to existing virtual machine" feature which effectively replaces the "Hyper-V Settings/SCSI Controller" and "Hyper-V Settings/IDE Controller" methods mentioned above, to create more efficient workflow

• Using PowerShell Direct (if both the host and virtual machine are running Windows 10, 11, or Windows 2016) to run PowerShell commands such as Copy-Item and Enter-PSSession against a virtual machine, regardless of its network or remote management settings. Copy-Item is somewhat self explanatory and Enter-PSSession allows you to run commands within the virtual machine. See https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/powershell-direct for more information. Please note that PowerShell will ask for credentials of the account within the virtual machine that you are interested in, which you must provide as DOMAIN\USER or COMPUTER\USER. You do not need to enter a password if AIM has already performed Windows authentication bypass... but please note that even though you do not need to provide a password, PowerShell Direct still requires that the account originally had one. Here is sample syntax for Copy-Item first and then Enter-PSSession, each targeting a SANS Windows 10 workstation launched into a VM by AIM:

	Copy-Item -FromSession (New-PSSession -VMName AIMbase-rd01-cdrive.e015E3437D9) -Path “c:\users\tdungan\documents\demon core.pdf” -Destination c:\users\administrator\desktop
	Enter-PSSession -VMName AIMbase-rd01-cdrive.e015E3437D9
How can I or my organization contribute to Arsenal Image Mounter?

If Arsenal Image Mounter has become a valuable part of your toolkit, please let your colleagues in digital forensics know. We would also appreciate knowing how you use AIM and if you have any suggestions for future versions. If you or your organization have used AIM source code, APIs, and/or executables in open-source or commercial projects, please make sure you are complying with our licensing requirements. Commercial licensing of AIM source code, APIs, and/or executables helps us offset the cost of continued development, both in terms of Free and Professional Mode functionality.

What does "Create removable disk device" in the "Mount Options" screen do?

This function essentially emulates the attachment of a USB thumb drive. We have heard that it facilitates the mounting of disk images containing partitions rather than disks, even though Arsenal Image Mounter was initially designed to mount disks specifically. Characteristics (and limitations) of using this function include:

• Windows (prior to Windows 10 Build 1703) will only identify and use the first partition in the disk image, even if it contains more than one partition

• SAN policies such as requiring new devices to be mounted offline do not apply

• Drive letters are always assigned even if automatic drive letter assignment is turned off

• Windows identifies and uses file systems even for single-volume disk images that have no partition table

• Inability to interact with Volume Shadow Copies natively

Does Arsenal licensing require an Internet connection?

You only need an Internet connection in regard to Arsenal licensing when you initially activate your license code, once a year for a license validation, and when you extend/renew your license. If you cannot connect to the Internet, please see "How can I activate an Arsenal license on an offline/air-gapped workstation?" below.

How can I activate an Arsenal license on an offline/air-gapped workstation?

If you want your offline/air-gapped workstation properly licensed to run Arsenal Image Mounter and our other tools:

1.) Open Arsenal Image Mounter and enter the license code you were given

2.) Upon realizing that no Internet connection is available, Arsenal Image Mounter will save a “.LIC” file in the Users\Public\ArsenalRecon folder

3.) On a workstation with Internet access, go to our Offline Activation page at https://www.softworkz.com/offline/offline.aspx and upload the “.LIC” file

4.) Finally, copy the CDM file you receive to the Users\Public\ArsenalRecon folder on your offline/air-gapped workstation

Your offline/air-gapped workstation is now ready to run all the Arsenal tools! Please note, if you provide your offline/air-gapped workstation with Internet access for some reason and then launch our tools, the Arsenal license type will be converted from offline to online.

I purchased an Arsenal license extension/renewal, but how do I apply it?

If you have extended/renewed an existing Arsenal license and your forensic workstation has Internet access, but the next time you launch Arsenal Image Mounter you do not see updated subscription information on the Help/About screen..., you can try selecting the "Update license" button. If you have extended/renewed an existing Arsenal license and your forensic workstation is offline, you need to remove the Arsenal license file (.CDM file) from Users\Public\ArsenalRecon and perform another offline activation.

I purchased a new Arsenal license to replace an existing license with an active subscription, but how do I apply it?

If you would like to replace an existing Arsenal license with an active subscription, remove the Arsenal license file (.CDM file) from Users\Public\ArsenalRecon, launch Arsenal Image Mounter, enter the new license code, and follow either the online (if your forensic workstation has Internet access) or offline/air-gapped activation process.

How can I mount and launch virtual machines from disk images containing BitLocker-protected volumes?

When you use Arsenal Image Mounter to mount a disk image containing BitLocker-protected volumes, Windows will recognize those volumes and either ask to unlock them with a key (assuming they were in a locked state) or it will begin real-time decryption without requiring any user input (assuming they were in a disabled or suspended state.) There are a variety of ways in which "BitLockered disk images" (how Arsenal refers to disk images containing one or more BitLocker-protected volumes) can be launched into virtual machines. Here are some examples of workflows to launch BitLockered disk images into virtual machines:

This workflow is what we recommend if you would like maximum performance from the virtual machine:

1.) Use AIM to mount the disk image containing one or more BitLocker-protected volumes in write-temporary mode

2.) Use AIM's "Fully decrypt BitLocker-protected volumes" feature*

3.) Use AIM’s Launch VM feature to launch a virtual machine

4.) Run AIM Virtual Machine Tools by selecting the Ease of Access icon and use password bypass, etc. as desired

* This feature turns BitLocker off - fully decrypting all the contents of the BitLocker-protected volume. This is a time-consuming process and you can check on the status of full BitLocker decryption by using "manage-bde -status Volume Letter:" at a command prompt. Unlocking (rather than fully decrypting) BitLocker only results in real-time decryption of the BitLocker-protected volume contents as necessary, rather than full decryption.

This workflow is what we recommend for fastest access to the virtual machine (as there is no wait for full decryption):

1.) Use AIM to mount the disk image containing one or more BitLocker-protected volumes in write-temporary mode

2.) Use AIM's "Unlock BitLocker-protected volumes" feature or Windows itself on your forensic workstation to unlock the BitLocker-protected volume(s)

3.) Use AIM’s Launch VM feature to launch a virtual machine and select disable/suspend* BitLocker-protected volumes

4.) Run AIM Virtual Machine Tools by selecting the Ease of Access icon and use password bypass, etc. as desired

* By disable/suspend, we are referring to exposing the BitLockered volume's encryption key in the clear (the equivalent of "manage-bde -protectors -disable (Volume Letter:)"), turning off any volume protection.

This workflow we do not recommend, because AIM Virtual Machine Tools will not be injected and you will be on your own in terms of logging in to any Windows accounts:

1.) Use AIM to mount the disk image containing one or more BitLockered-protected volumes in write-temporary mode

2.) Do not unlock BitLocker

3.) Use AIM’s Launch VM feature to launch a virtual machine (without allowing AIM to unlock and disable BitLocker protection)

Can I use Arsenal Image Mounter to mount Volume Shadow Copies (VSCs) in Windows natively?

Yes, you can enable Arsenal Image Mounter's “Professional Mode” to access VSC mounting functionality and choose to mount the contents of VSCs three different ways - with the Windows NTFS driver, the DiscUtils NTFS driver, or as a complete disk (with the Windows NTFS driver). You can also leverage AIM’s "Free Mode" disk image mounting functionality along with other tools such as Eric Zimmerman's VSCMount at:

https://ericzimmerman.github.io/#!index.md

or as described on David Cowen’s blog at:

http://www.hecfblog.com/2014/02/daily-blog-240-arsenal-image-mounter.html

How can I release or attach my mouse from a virtual machine launched by AIM?

You can release your mouse from Hyper-V by using the keyboard shortcut CTRL-ALT-LEFT ARROW. In some cases you may find that clicking within the Hyper-V virtual machine does not immediately attach your mouse, but if you wait until the operating system within the virtual machine is ready for input (in other words, it's not busy!) you will then be able to attach your mouse. More keyboard shortcuts can be found at:

https://blogs.msdn.microsoft.com/virtual_pc_guy/2008/01/14/virtual-machine-connection-key-combinations-with-hyper-v

Can I use Arsenal Image Mounter to decrypt full-disk or volume encryption within disk images?

Yes, Arsenal Image Mounter is used frequently for this purpose. Generally speaking, you have two great options - use AIM to mount your disk image as a “real” disk and let full-disk or volume encryption software on your host proceed, or launch your disk image into a virtual machine to interact with either the full-disk encryption's limited OS or the volume encryption's native applications within the virtual machine. You can see screenshots from both of these options applied to a disk image containing Symantec Encryption Desktop (a/k/a PGP Desktop) at:

https://twitter.com/ArsenalRecon/status/1242094213929537540

If you are dealing with BitLocker, AIM also has BitLocker-related functionality to assist you.

Are you having trouble booting decrypted BitLocker volumes?

See Adam Bridge’s excellent blog post on modifying an NTFS volume’s Volume Boot Record (VBR) using Arsenal Image Mounter’s “Write temporary” mode at:

https://www.contextis.com/resources/blog/making-ntfs-volume-mountable-tinkering-vbr/

How can I fix AIM’s drop-down menus from flying out beyond the GUI’s borders?

This behavior may be related to Windows Presentation Framework and “handedness.” Your handedness setting can be found by hitting Windows key+R, then pasting in “shell:::{80F3F1D5-FECA-45F3-BC32-752C152E456E}”. If your handedness setting is “Right-handed” you may want to change it to “Left-handed”.

I accidentally set the Hyper-V view so small that I can no longer access the "View" drop-down menu, how can I fix this?

Close Hyper-V, change the "ZoomLevel" value within %UserProfile%\AppData\Roaming\Microsoft\Windows\Hyper-V\Client\1.0\vmconnect.config file to 100 (or at least something larger than it is currently set to.), and then launch another virtual machine.

I have noticed that AIM-mounted (or attached) disks exhibit unusual behavior (e.g. inability to offline disks) on one forensic workstation, but not on others - what could be wrong?

Your forensic workstation may be automatically encrypting (BitLocker protector-free encryption, a/k/a "Clear Key Mode") all newly-attached disks per Windows policy. One method to fix this behavior is to remove BitLocker from your forensic workstation's Windows volume, which will disable this problematic policy. You can then enable BitLocker again without this problematic policy interfering with newly-attached disks.

Will using Hyper-V's "Enhanced Session Mode" cause any problems with Windows virtual machines?

Potentially, yes. We do not recommend using Hyper-V's Enhanced Session Mode (which appears as a "Display Configuration” dialog during the launch of virtual machines running Windows 8+ and essentially uses Remote Desktop to connect to the virtual machine) because unexpected policy issues may surface - for example, accounts may be prohibited from remote and password-less logons. If you are booting a virtual machine and see the Enhanced Session Mode dialog asking about screen resolution, just exit that dialog and you will be returned to direct console mode.

Why isn't Hyper-V running properly on bare metal even though I'm sure it's installed?

If you are sure Hyper-V has been installed, but when you run "sc query HvService" from a command prompt you are notified that it is not running, it's possible that there is an issue with boot configuration due to the presence of other virtualization platforms like VMware or Oracle VM VirtualBox. You may be able to resolve this issue by running "bcdedit /set hypervisorlaunchtype auto" at an administrative command prompt (which will result in Hyper-V starting at boot), but please note that you may need to reverse this action ("bcdedit /set hypervisorlaunchtype off") later to make sure your other virtualization platforms work as expected.

Can I run Hyper-V within VMware or Hyper-V within Hyper-V?

We do not recommend nesting virtualization environments, but some of our customers are doing so successfully. You can find details on running Hyper-V within VMware and Hyper-V within Hyper-V in the Insights article at https://ArsenalRecon.com/insights/arsenal-image-mounter-and-virtual-machine-inception.

Why am I unable to see DPAPI-protected data within a virtual machine running Windows, even though I have an account's actual PIN?

Microsoft accounts (Microsoft (cloud) in AIM Virtual Machine Tools) used in combination with Windows Hello can be configured to require TPM and disable password logons. In the event you launch a virtual machine from a disk image containing a Microsoft account in this condition, you will be able to perform a Windows authentication bypass, but if Arsenal Image Mounter has not already made DPAPI bypass available in the Launch VM options you will not be able to unlock DPAPI to access protected data - even if you have the account’s actual PIN which was used on the original device.

Why am I unable to see DPAPI-protected data within a virtual machine running Windows, even though DPAPI bypass was available to me in the Launch VM Options screen?

Arsenal Image Mounter may be unable to determine prior to Windows booting whether a DPAPI bypass will work successfully when dealing with Microsoft accounts (Microsoft (cloud) in AIM Virtual Machine Tools) that use PIN authentication and have not also used (depending on various circumstances) password or picture-password authentication. If you encounter this scenario, AIM will deliver you to a Windows logon screen rather than the selected user’s Desktop.

Is it possible to deploy Arsenal Image Mounter unattended?

To some extent, yes. We can provide customers with an installation package containing the Arsenal Image Mounter driver and the AIM CLI application, which can be installed silently depending on circumstances. While the installation will be silent in terms of Arsenal Image Mounter itself, it may not be silent in terms of Windows due to policy - for example, users may need to confirm that they trust drivers from Arsenal.

Is there an Application Programming Interface (API)?

Yes – Arsenal Image Mounter provides both .NET and non-.NET APIs. You can find these APIs on our GitHub page at:

https://github.com/ArsenalRecon/Arsenal-Image-Mounter/tree/master/API

What programming languages have been used to build Arsenal Image Mounter?

Arsenal Image Mounter’s Storport miniport driver is written in C and its user mode API library is written in VB.NET, which facilitates easy integration with .NET 4.0 applications.

Where can I find the source code?

Arsenal Image Mounter source code can be found on GitHub at:

https://github.com/ArsenalRecon/Arsenal-Image-Mounter

How can I uninstall Arsenal Image Mounter?

If you would like to completely uninstall Arsenal Image Mounter (perhaps you want to revert to an earlier version), go to Device Manager\Storage controllers\Arsenal Image Mounter, right-click and select "Uninstall device". Then, from an administrative command prompt:

1.) [Optional] If you have the Windows Driver Kit (WDK) installed (or Visual Studio, or the Windows SDK), you can run "devcon remove phdskmnt" (e.g. C:\Program Files (x86)\Windows Kits\10\Tools\x64\devcon remove phdskmnt) instead of using Device Manager

2.) sc delete phdskmnt

3.) sc delete aimwrfltr

4.) [Optional] sc stop vhdaccess

5.) [Optional] sc delete vhdaccess

6.) [Optional] sc stop awealloc

7.) [Optional] sc delete awealloc

8.) [Optional] sc stop dokan1

9.) [Optional] sc delete dokan1

10.) Delete phdskmnt.sys and aimwrfltr.sys from C:\Windows\system32\drivers

11.) [Optional] Delete vhdaccess.sys, awealloc.sys and dokan1.sys from C:\Windows\system32\drivers

12.) Delete the Arsenal Image Mounter executables, libraries, and documentation from where you placed them

What should I know about Arsenal Image Mounter licensing and contributions?

We chose a dual-license for Arsenal Image Mounter (more specifically, Arsenal Image Mounter’s source code, APIs, and executables) to allow for royalty-free use in open source projects, but require financial support from commercial projects.

Arsenal Consulting, Inc. (d/b/a Arsenal Recon) retains the copyright to Arsenal Image Mounter, including the Arsenal Image Mounter source code, APIs, and executables, being made available under terms of the Affero General Public License v3. Arsenal Image Mounter source code, APIs, and executables may be used in projects that are licensed so as to be compatible with AGPL v3. If your project is not licensed under an AGPL v3 compatible license and you would like to use Arsenal Image Mounter source code, APIs, and/or executables, contact us (sales@ArsenalRecon.com) to obtain alternative licensing.

Contributors to Arsenal Image Mounter must sign the Arsenal Contributor Agreement (“ACA”). The ACA gives Arsenal and the contributor joint copyright interests in the source code.


Hibernation Recon Hibernation Recon

System Requirements

Hibernation Recon requires Microsoft Windows 8 or later.

How can I run the command line interface version of Hibernation Recon?

Running Hibernation Recon from the Windows console is quite simple (you can see all switches by simply running “HibRec” from an administrative command prompt):

HibRec /HiberFill=(FullPath)
What are the "Legacy" and "Modern" hibernation formats?

Legacy hibernation format, used by Windows XP, Vista, and 7, applies XPRESS compression to hibernation data. Modern hibernation format, used by Windows 8/8.1 and 10, applies XPRESS compression with Huffman encoding to hibernation data.

What are the output files created by Hibernation Recon?

Output Filename

Description

ActiveMemory.bin

Active memory decompressed & reconstructed

DecompressedSlackLegacy.bin

All levels of slack (Legacy format) decompressed & placed in one output file

DecompressedSlackModern.bin

All levels of slack (Modern format) decompressed & placed in in one output file

DecompressedSlackLevels/
DecompressedSlackLevelXXXYLegacy.bin

Slack (Legacy format) decompressed & placed in multiple output files by slack level. The “Y” distinguishes previous Windows installations when possible.

DecompressedSlackLevels/
DecompressedSlackLevelXXXModern.bin

Slack (Modern format) decompressed & placed in multiple output files by slack level

RawSlackLegacy.bin

Raw slack (Legacy format) from all slack levels placed in one output file

RawSlackModern.bin

Raw slack (Modern format) from all slack levels placed in one output file

RawSlackChunks/RawSlackChunk(Decimal Offset)(Hex_Offset).bin

Raw slack placed in multiple output files by chunk

NonZeroAfterValidSlack.bin

Non-zero data after all valid levels of slack

AllSlack.bin

All levels of slack (Modern & Legacy formats) decompressed, raw, and non-zero in one output file

IndxI30Entries.csv

Indexed folder content (a/k/a $I30 data) from active and slack space of NTFS INDX records

IndxObjIdOEntries.csv

Indexes of linked files (a/k/a $O data) from active and slack space of NTFS INDX records

HibRec.log

Hibernation Recon log file

What can I do with the output from Hibernation Recon?

You can load decompressed and reconstructed memory (ActiveMemory.bin) into memory forensics toolkits, and run other tools (bulk_extractor, PhotoRec, etc.) against both the active and slack output from Hibernation Recon to extract many kinds of artifacts.

Does Arsenal licensing require an Internet connection?

You only need an Internet connection in regard to Arsenal licensing when you initially activate your license code, once a year for a license validation, and when you extend/renew your license. If you cannot connect to the Internet, please see "How can I activate an Arsenal license on an offline/air-gapped workstation?" below.

How can I activate an Arsenal license on an offline/air-gapped workstation?

If you want your offline/air-gapped workstation properly licensed to run Hibernation Recon and our other tools:

1.) Open Arsenal Image Mounter and enter the license code you were given

2.) Upon realizing that no Internet connection is available, Arsenal Image Mounter will save a “.LIC” file in the Users\Public\ArsenalRecon folder

3.) On a workstation with Internet access, go to our Offline Activation page at https://www.softworkz.com/offline/offline.aspx and upload the “.LIC” file

4.) Finally, copy the CDM file you receive to the Users\Public\ArsenalRecon folder on your offline/air-gapped workstation

Your offline/air-gapped workstation is now ready to run all the Arsenal tools! Please note, if you provide your offline/air-gapped workstation with Internet access for some reason and then launch our tools, the Arsenal license type will be converted from offline to online.

How can hibernation files be zeroed out?

Windows hibernation files are essentially zeroed out when the ClearPageFileAtShutdown Registry setting is enabled or after Windows 8/8.1, 10, and 11 resumes on SSDs.

What impact does Fast Boot/Fast Startup have on Windows hibernation?

Windows 8/8.1, Windows 10, and Windows 11 normally have “Fast Boot” (Windows 8) or “Fast Startup” functionality (hereafter “Fast Startup”) enabled by default. Windows shutdowns on a Fast Startup enabled system will write kernel memory (filesystem drivers, other drivers, Registry data, etc.), all system services that normally run in background, and other user mode processes that do not belong to any specific user session to the hibernation file. Although all user sessions are logged out before this writing to the hibernation file occurs, much more than kernel memory is taken into account. Of course, a “normal” or “complete” hibernation when a user is logged into Windows will result in much more data being written to the hibernation file.

How can I troubleshoot why a hibernation file has not been processed by Hibernation Recon?

Your hibernation file may have been zeroed out, contain an unknown memory structure, or never used for an actual hibernation. You may want to compress the hibernation file to get a quick sense of whether it has been zeroed out, and/or review its raw content. If you are still unsure why the hibernation file has not been processed in Hibernation Recon, you can provide us with the first 1mb and we will help you determine its state.

Why are certain Registry hives missing from a successfuly processed hibernation file?

As of Windows 10 Build 17134 (or maybe 17063), Microsoft added a new Registry process which is responsible for all hives other than SYSTEM and HARDWARE. The Registry process does not end up in Fast Startup hibernation, so you will no longer find the other hives there.

What kinds of advanced NTFS metadata recovery does Hibernation Recon provide?

Hibernation Recon currently supports the extraction and human-friendly decoding of NTFS INDX data. More specifically, we are targeting INDX records containing indexed folder content (a/k/a $I30 data normally found in $I30 metafiles) and indexes of linked files (a/k/a $O data, normally found in $O metafiles, which contains Object IDs or Object Identifiers). Of course, in true Arsenal fashion, we do not only exploit the active space within recovered INDX records but their slack space as well. Regarding timestamps in the Hibernation Recon output, CTime=File Create Time, ATime=File Modified Time, MTime=MFT Entry modified Time, and RTime=File Last Access Time.

How would you describe Object IDs?

NTFS supports the use of “object identifiers” (also known as OBJECT_ID attributes or Object IDs), which improves the ability of the Microsoft Windows operating system to track files in situations that can include renaming and moving (but not copying) those files. Object identifiers can be appended to a file’s $MFT record when a file is moved, created, or first opened. Object identifiers do not “travel” with files to removable storage devices, but object identifiers can be created on removable storage devices when files are first moved to, created on, or first opened there. It should be noted that whether Object IDs are first appended to a file’s $MFT record when the file is created or first opened can be dependent upon the application that created or first opened it. You can learn more about how to apply Object IDs in your analysis by reading Harry Parsonage’s The Meaning of LIFE document.


Registry Recon Registry Recon

System Requirements

Registry Recon requires Microsoft Windows 7 or later, .NET 4, and the Visual C++ 2010 Redistributable Package (x86/x64).

What is the Microsoft Windows Registry?

The Registry is a complex ecosystem, in database form, containing information related to hardware, software, and users on computer systems running Microsoft Windows. At a very basic level, the Registry is composed of “keys” and “values” which are similar in some ways to folders and files. Analysis of this information reveals the names of recently accessed files when applications were last run, who attached removable storage devices, and much more. The Registry is continually referenced during Windows operation so large volumes of Registry data can always be found both on disk and in live memory.

What are the Recon Registries and Recon View?

Recon Registries are all the Registries rebuilt by Registry Recon. Recon View is our method of showing you all the values within them in a unique and historical fashion, with seamless access to all instances of those values if you so desire.

What kinds of evidence can be added to Registry Recon?

Registry Recon supports adding forensic images in EnCase (E01) and raw (dd) formats, VHD disk images, physically mounted slave drives, and the contents of directories as evidence.

I am a student and would like to try Registry Recon. Where can I find sample evidence?

You can find sample evidence herehere, and here.

How Do Recon Registries Get Their Name?

If a full set of hives (particularly System and Software) are available for any particular Registry, its Recon Registries name will include the system name, Windows version, and install date. If a System hive is available, but a Software hive is not, the name will include the system name and Machine Security ID (“MSID”). If a Software hive is available, but a System hive is not, the name will include the Windows version and install date. If both System and Software hives are missing, the name will simply include an MSID.

Can Registry Recon resurrect registries if they have been overwritten?

It’s important to keep in mind that in the context of computer forensics, “deleted” and “overwritten” are two very different things. Registry Recon is often very successful rebuilding Registries which have been deleted and only exist in unallocated (deleted) space. Registry Recon cannot however rebuild Registries if they have been overwritten – for example, if a data scrubbing tool has been used to overwrite unallocated space.

Where can I get the latest version of Registry Recon?

You can get the latest version of Registry Recon from our Downloads page.

How can I activate an Arsenal license on an offline/air-gapped workstation?

If you want your offline/air-gapped workstation properly licensed to run Registry Recon and our other tools:

1.) Open Arsenal Image Mounter and enter the license code you were given

2.) Upon realizing that no Internet connection is available, Arsenal Image Mounter will save a “.LIC” file in the Users\Public\ArsenalRecon folder

3.) On a workstation with Internet access, go to our Offline Activation page at https://www.softworkz.com/offline/offline.aspx and upload the “.LIC” file

4.) Finally, copy the CDM file you receive to the Users\Public\ArsenalRecon folder on your offline/air-gapped workstation

Your offline/air-gapped workstation is now ready to run all the Arsenal tools! Please note, if you provide your offline/air-gapped workstation with Internet access for some reason and then launch our tools, the Arsenal license type will be converted from offline to online.

I had trouble adding evidence to Registry Recon, what is wrong?

Certain computer forensics applications can interfere with physical drives being added as evidence to Registry Recon, so Arsenal recommends refraining from their use while Adding Evidence.

What updates are on the way?

We are working on a large number of updates which include support for live memory captures, greatly improving searching, bookmarking, and reporting functionality, and performance tuning.