/ Insights

Introducing Arsenal Image Mounter v3.3.134 and DPAPI Bypass

October 26th, 2020
Mark Spencer
Arsenal Image Mounter is the casino and disk images are the gamblers.

Three months ago I challenged the Arsenal team by suggesting that we could get more creative about how to access protected content in Windows, especially considering Arsenal Image Mounter was already reliably launching disk images into virtual machines and bypassing every type of Windows authentication.

We did it. In the last three months we found that, academically speaking, accessing Data Protection API (DPAPI) protected data on Windows 10 was relatively straightforward in certain situations. We also found that turning this knowledge into something seamless was anything but straightforward. Our team was relentless and forged ahead until we built something extremely powerful, unique, and… seamless.

Our customers will soon find that the combination of AIM’s existing Windows authentication bypass with our new DPAPI bypass is amazing.

In a bit more detail (from the AIM v3.3.134 readme):

“Bypass Data Protection API (DPAPI), which provides seamless access (particularly in concert with AIM’s Windows authentication bypass) to the last logged-on user’s DPAPI-protected content such as website, network share, and application credentials as well as files and folders protected by Encrypting File System (EFS). DPAPI-protected content is normally made available after a user successfully logs into Windows, but AIM’s DPAPI bypass makes it available without having the user’s credentials. This option will be available in certain situations when AIM first launches a Windows 10 x64 system with local or Microsoft (cloud) accounts into a virtual machine. Please note, this option currently works best with single-user systems and will not persist across reboots.”

While all our customers should be excited about this new functionality, we think law enforcement and military customers will be particularly excited due to the number of single-user tablets, laptops, and desktops they come across. Please note, we have already found situations in which we can extend our DPAPI bypass to work better against multi-user systems, so our work in this regard is not done.

Before we get too far, we should better define DPAPI. Microsoft released DPAPI in Windows 2000 so that third-party developers (and Microsoft themselves) would have a reliable, flexible, and easy-to-use method to encrypt and decrypt data. DPAPI encryption can be based either on a particular user (requiring the use of the user’s Windows login credentials) or  a particular system (requiring the use of any user’s Windows login credentials). DPAPI-protected data can be found in many places on a Windows computer such as the Registry and various application databases. In some situations it’s easy for a digital forensics practitioner to determine how applications are using DPAPI-protected data, but in other situations (e.g. Dropbox databases) it’s more challenging, because DPAPI is part of a larger system to protect a particular type of data.

Let’s see AIM’s new DPAPI bypass in action, starting with the LoneWolf disk image from Digital Corpora! Please note the new “Bypass Data Protection API (DPAPI)” option on the Launch VM options screen, which will be enabled by default if a DPAPI bypass is possible:

After launching LoneWolf into a virtual machine, AIM performs the DPAPI bypass and we end up at the Windows Desktop of the last logged-on user. We then launch Chrome in an effort to expose stored credentials for various websites, but we get a Windows Security dialog asking us for our password:

Thanks to AIM’s Windows authentication bypass, we don’t need to enter anything at the Windows Security dialog above. After clicking “OK” we are able to see all the DPAPI-protected website credentials. Remember, this is done without having the user’s Windows password:

Next we use laZagne to extract out any DPAPI-protected WiFi passwords:

Now onto something a bit more complex, but with a great payoff – decrypting Dropbox databases using a method (and code) described in the blog post “Brush up on Dropbox DBX decryption” by Francesco Picasso.

First, we extract the Dropbox key which has been made possible due to AIM’s DPAPI bypass:

Second, we use the Dropbox key to decrypt “filecache.dbx” to “filecache.db”:

Third, we start digging into the decrypted Dropbox database, filecache.db:

Viewing Filecache
Viewing Filecache Deleted Files

We are just scratching the surface in this Insights article in terms of what is possible when using AIM to bypass both Windows authentication and DPAPI, in part because we used the LoneWolf disk image for our demonstration rather than actual evidence. We know our customers will leverage this new functionality in ways we haven’t even considered yet.

Speaking of leveraging this new functionality, check out this testimonial from Cst. Derek Frawley of the Kingston Police in Ontario, Canada:

Please note, we initially released Arsenal Image Mounter v3.3.134 to our law enforcement and military customers and are now releasing it to all our established customers upon request. We will have an even wider release on January 1st.


Join the List

Arm yourself with updates about Arsenal tools, training, and research. Our mailing list is double opt-in so you will need to check your email and confirm your subscription before receiving our mailings.