We released Arsenal Image Mounter v3.9.218 today with some truly awesome enhancements. I do not use the phrase "truly awesome" lightly, in the sense that I'm referring to enhancements that required many months of research and development ultimately resulting in even more powerful and unique functionality for AIM users. Let’s kick this quick tour off with enhancements to AIM’s DPAPI bypass.
Our customers have been telling us for years that AIM's "Professional Mode" was the most reliable way to launch disk images into virtual machines. We have spent an enormous amount of time not only making sure AIM’s virtual machine launching lived up to its reliable reputation, but also developing:
Windows authentication and DPAPI bypasses within virtual machines
Volume Shadow Copy (VSC) launching into virtual machines
AIM-attached physical disk launching into virtual machines
AIM’s Windows authentication and DPAPI bypasses were already so expansive and powerful that some digital forensics practitioners had trouble believing what they were seeing… and now thanks to some incredible creativity and focus from Olof Lagerkvist and Joakim Schicht, AIM’s DPAPI bypass has just become even more powerful. AIM's DPAPI bypass now works in many more scenarios, from versions of Windows prior to 10 and with more types of Windows authentication. Nothing beats seeing it for yourself:
Another thing I would like to demonstrate in terms of DPAPI bypass - AIM's ability to perform DPAPI bypasses within VMs launched from VSCs. It can sometimes be a bit of a miracle to get everything you need working within a VSC launched into a VM (for example, some files important to digital forensics practitioners do not have space reserved in VSCs by design, sometimes clusters are missing from the most aggravating places, etc.), but when AIM finds relatively intact VSCs, launches them into VMs, and then performs DPAPI bypasses - it's quite nice and you will want this capability in your toolbox. Let's launch one of the Cellebrite CTF 2021 VSCs into a VM and see what I’m referring to in action:
Is AIM able to perform a DPAPI bypass in every scenario involving Windows? No… but the number of scenarios in which it can have now been dramatically increased in v3.9.218. Are you thinking about taking a new look at some of your cold cases?
Next up, AIM now includes a Linux authentication bypass within virtual machines. You can see it here used against a Magnet CTF 2022 disk image:
Now let’s cover a new "Free Mode" feature we call "Virtual dd." Upon enabling the virtual dd function, all available disks, volumes, and VSCs (whether AIM-mounted/attached or not) will be virtually exposed in a new volume as read-only raw disk images with the ".dd" extension. Disks will be exposed by their "PhysicalDrive" number, volumes will be exposed both by their currently assigned Windows drive letter and GUID, and VSCs by their volume GUID and timestamp. We tend to add new functionality to our tools when we realize that important things can be done in our own casework but we can’t find any existing solutions. Virtual dd was different, in the sense that federal law enforcement in the US made multiple requests for the functionality… so while we weren’t sure how important it would be to our own casework, we knew it was important to theirs. Two things we suspect people will use virtual dd for are quickly copying out VSCs as dd files and leveraging certain tools (that are not "digital forensics friendly") against forensic images by pointing them at the virtual dd files exposed by AIM. We expect that AIM users will find more use cases for the virtual dd functionality. See virtual dd in use against the NIST CFReDS Data Leakage disk image here:
Another new feature that wasn’t on our radar until an AIM user put it there is support for single disk, non-striped, lvm/lvm2 volumes. Joshua James (DFIR Science) reached out to us in regard to a CTF he was running about whether AIM could support lvm/lvm2 volumes. We told Joshua we didn’t think it would be too hard to support, so we would get on it right away. Initially we added the lvm/lvm2 support to AIM’s Windows file system driver bypass mode, so our users could quickly surf popular file systems in disk images containing Linux, but we then extended the support to launching virtual machines and more specifically AIM's Linux authentication bypass. Here's a look at the result in Windows file system driver bypass mode:
Here is a concise list of Professional and Free Mode enhancements in AIM v3.9.218:
Please note, AIM now requires .NET 6 and as always you should exclude AIM’s folder and/or executables in your antivirus solution.
Before we part ways, I would like to make sure you are aware of AIM Online Training which is under ongoing development by Emina and Anastasia here at Arsenal. We have priced the training at $79 per seat so it is accessible to as many digital forensics practitioners as possible. The training includes practical exercises and one attempt at certification, but the training itself can be retaken as often as you would like. Here's a brief clip of Emina explaining some AIM functionality during the training:
You can purchase AIM Online Training from SUMURI (they host our training and build workstations with our tools preinstalled) at https://sumuri.com/course/arsenal-image-mounter-training or directly from us when purchasing Arsenal licenses.