Arsenal Image Mounter Remote Agent (a/k/a AIM Remote Agent) is a CLI application which runs on Windows, Linux, and BSD that makes disks available to Arsenal Image Mounter over a network.
Arsenal strongly recommends that AIM Remote Agent be run from a forensically-sound boot environment that is compatible with Secure Boot and ensures disks are kept offline and read only at all times. Once a disk is made available to AIM via AIM Remote Agent, any of AIM's mount modes can be selected. For example, if write temporary mode is selected, AIM's write filter will be applied on the forensic workstation running AIM to facilitate interaction with the remote disk as if it was a locally attached, writable, and complete (a/k/a “physical” or “real”) disk - allowing AIM to do things which include interacting with the remote disk's BitLocker, mounting its Volume Shadow Copies using multiple methods, and launching it into a virtual machine.
Colin Ramsden’s WinFE (Windows Forensic Environment) was the first forensically-sound boot environment to support AIM Remote Agent. We expect AIM Remote Agent will be supported by similar (but Linux based) projects soon.
So why would you boot computers with WinFE and use AIM Remote Agent to connect disks to AIM over a network? Here are some possible use cases:
• You can’t (or don’t want to) remove internal storage devices for traditional forensic imaging (e.g. to reduce the possibility of damaging the computer or due to covert preservation requirements), but still want complete disk images
• You aren’t sure what combination of chassis intrusion, Secure Boot, BitLocker, & Windows authentication are in play & you need to be extremely careful to preserve contents of internal storage without limiting next steps (i.e. you don’t want to trip chassis intrusion, Secure Boot, &/or BitLocker recovery mode)
• You want to centrally manage disk imaging from multiple computers over a secure & fast network
• You want an efficient way to conduct powerful triage of multiple computers (leveraging AIM’s BitLocker functionality, multiple methods of VSC mounting, Windows file system driver bypass, virtual machine launching with Windows authentication & DPAPI bypasses, etc.) without first obtaining disk images
Emina and Anastasia have created a nice series of screenshots and photos showing AIM Remote Agent running on two computers booted with WinFE and connected to AIM. You can quickly see how easy and useful it is to make disks available to AIM over a network in a forensically-sound manner:
Initial Connection of AIM Remote Agent (on ASUS Laptop Booted with WinFE) to AIM
Initial Connection of a Second AIM Remote Agent (on TALINO Workstation Booted with WinFE) to AIM
Showing Disk Details After Two AIM Remote Agents Connected to AIM
Unlocking BitLocker on Remote Disk (ASUS Laptop) with AIM
Launching Virtual Machine from Remote Disk (ASUS Laptop) with AIM
Virtual Machines Launched from Both Remote Disks and Viewing Secrets with AIM
Mounting Volume Shadow Copies from Remote Disk (TALINO Workstation) with AIM
Want to try all of this for yourself? If you are already an Arsenal customer, it’s quite easy as we do not charge anything extra for the new AIM Remote Agent and x86 and x64 builds are included in a subfolder within the AIM download. AIM Remote Agent will soon be included in the official WinFE build process, and in the meantime you can view a short tutorial from Derek Eiri on adding AIM Remote Agent to WinFE. Finally, don’t forget to read the AIM Remote Agent readme file (readme_remote.txt) included with AIM.
Good hunting!