The latest AIM includes a long list of improvements. Highlights include Arm on Arm virtualization, Windows S Mode bypass (x64 and Arm!), multiple simultaneous disk connections with AIM Remote Agent, and BitLocker support extended to Windows File System Driver Bypass Mode. As always, you can see a detailed change log and get the latest AIM on our Downloads page. Let's get into some more detail about these highlighted features!
Arm on Arm Virtualization
Our team has been working extremely hard on Arm on Arm virtualization since the summer and our work is now paying off for our customers. AIM on Windows on Arm (WoA) can now seamlessly virtualize WoA disk images, actual physical disks, and remotely-connected disks (via AIM Remote Agent) with all of the extremely powerful and unique functionality you expect from AIM on Windows x64. We have put an emphasis in terms of R&D on Snapdragon-based laptops and tablets, which covers the majority of WoA devices we all come across as digital forensics practitioners.
Here are some screenshots demonstrating AIM on WoA running on Snapdragon 7c Gen 2, 8cx Gen 2, X Elite, and X Plus laptops and tablets and launching WoA disk images into virtual machines:
Here's a series of screenshots demonstrating a Surface Pro 11 (Snapdragon X Plus) booted with WinFE using AIM Remote Agent to connect its disk over a network to AIM on a Dell XPS 13 (Snapdragon X Elite), then AIM launching a virtual machine from the remote disk. We think this is awesome and are confident you will too!
While AIM makes this Arm on Arm virtualization look easy, extreme effort and creativity was required behind the scenes... from Olof building a solid foundation to Emina and Anastasia doing their best to break every internal build put in their hands. We know WoA marketshare is increasing every year and digital forensics practitioners are increasingly taking custody of WoA laptops and tablets. We are very happy to be delivering this awesome new capability to our digital forensics colleagues.
Windows S Mode Bypass
While we were buying piles of Arm-based laptops and tablets from eBay over the summer we began running into Windows on Arm in S Mode. While in the past S Mode could be disabled manually just prior to AIM launching Windows x64 into virtual machines, we have now made that process seamless when launching Windows... whether it's Windows x64 or on Arm!
Here's a screenshot of AIM's Launch VM options when launching a Dell Inspiron 14 3420 (Snapdragon 8cx Gen 2):
AIM Remote Agent and Multiple Simultaneous Disk Connections
Since the first release of the AIM Remote Agent we have supported the connection of multiple agents to AIM. With the latest AIM we also support multiple simultaneous disk connections from each of the agents... useful (for example) when you want to obtain disk images simultaneously rather than back-to-back from a remote computer, or even more useful when Storage Spaces is being used on a remote computer and you need multiple disks assembled into a space before launching a virtual machine.
Did you know that digital forensics practitioners are running AIM Remote Agent not only from computers booted with WinFE (x64 and Arm), but PALADIN (x64) as well? Here's a series of screenshots demonstrating Anastasia using PALADIN to boot a Surface Pro 5 with two 512gb drives, connect both drives to AIM across a network (with automatic Storage Spaces reassembly), and launch a virtual machine.
BitLocker and Windows File System Driver Bypass Mode
AIM has offered a variety of BitLocker-related functionality in most of our mount modes for many years, but until now BitLocker operations were not supported against disk images (and disks) mounted in Windows File System Driver Bypass Mode (WFSDBM). Thanks to integration with libbde from Joachim Metz, BitLocker operations are now supported in WFSDBM on both Windows x64 and on Arm - including mounting Volume Shadow Copies (VSCs) and running Recon Reports within unlocked BitLocker-protected volumes when the underlying disk image (or disk) has been mounted in WFSDBM.
Here's a screenshot of a BitLocker-protected volume about to be unlocked in AIM's Windows File System Driver Bypass Mode after the integration of libbde:
Purchasing an Arm-Based Forensic Workstation
While we wait for the Snapdragon X2 Elite CPU to make its way into laptops and tablets, we purchased a Dell XPS 13 (Snapdragon X Elite) to use as a forensic workstation running Windows on Arm. We found this particular laptop to be reasonably priced considering its very light weight, has long battery life, and can be configured for 64gb RAM. You do not need high-end specifications like this though for a reasonable experience with Windows on Arm... any Snapdragon X Plus or Elite with 16 or 32gb RAM should be more than sufficient unless you are launching significant numbers of virtual machines simultaneously. To prove my point, here is a screenshot of AIM launching a virtual machine from a disk image on a Samsung Galaxy Book Go (Snapdragon 7c Gen 2) with only 4gb RAM!
Until next time... good hunting!