/ Insights

What's new with Arsenal Image Mounter in 2024?

May 29th, 2024
Mark Spencer

We have added some awesome functionality to Arsenal Image Mounter (AIM) over the last six months. Let's discuss some of the most significant updates to the three public builds of AIM (v3.11.279, v3.11.282, and v3.11.290) that we have released so far in 2024.

First, AIM's Windows authentication and DPAPI bypasses were already extremely powerful (and unique) before 2024... but we are always pushing boundaries in digital forensics. We wanted to increase the number of scenarios in which immediate (or, nearly immediate) DPAPI bypasses were available, so we added not only a comprehensive database-driven password attack feature to AIM but created two "Password Sledgehammer" databases for use by our customers. Our large Password Sledgehammer database is approximately 1TB in size and contains over 23 billion password hashes for nearly immediate attack against Windows contained within disk images (or actual physical disks) launched by AIM into virtual machines.

Password Attack Database Selection

Large Password Sledgehammer Against NIST Data Leakage Disk Image

Second, we have created "case initiation" emails for many years at Arsenal when we receive electronic evidence. The information we place in these emails (for example, details about operating systems and users) is very useful for triage when large volumes of disk images, mobile extractions, search warrant returns, and other evidence are arriving at our office. We have started to incorporate this kind of information in AIM's new "Recon Report" feature which we will expand both on feedback from our team and our customers.

First Portion of Recon Report Against Digital Corpora Owl Disk Image

Second Portion of Recon Report Against Digital Corpora Owl Disk Image

Here's a video that first demonstrates Password Sledgehammer being leveraged against the NIST Data Leakage disk image and then a Recon Report being created and quickly browsed:

Third, we have found many "smoking guns" within Volume Shadow Copies (VSCs) in our own casework at Arsenal and we are constantly using AIM's various methods of VSC mounting. Prior to 2024, AIM offered three methods of VSC mounting which all relied upon VSC parsing from Windows itself. AIM now includes our own VSC parsing, resulting in even more benefits for digital forensics practitioners. What are these benefits? More reliable virtual machine launching from VSCs, exposure of intra-VSC slack, and VSC mounting in situations it was not previously possible. AIM's latest VSC mounting methods are dependent upon how the underlying disk image (or actual physical disk) is mounted. Take a look at Digital Corpora's LoneWolf disk image mounted in write-temporary mode, then one of its VSCs mounted in write-temporary mode, and finally that VSC launched into a virtual machine.

VSC Mount Options Against Digital Corpora LoneWolf Disk Image

Digital Corpora LoneWolf Disk Image VSC Launched Into VM with DPAPI Bypass

Fourth, A small number of law enforcement agencies have been making many requests recently for increased functionality in AIM's CLI. While our CLI was originally intended to be used to access only AIM's core functionality, in 2024 we began adding Professional Mode functionality and making automation with the CLI more accessible. AIM's CLI can now be used to create new disk images and RAM disks, mount partitions and VSCs in Windows File System Driver Bypass Mode (WFSDBM), save disk images with fully-decrypted BitLocker volumes, produce Recon Reports, and more.

CLI Saving New Disk Image with Decrypted BitLocker Volume from Arsenal Romeo Disk Image

CLI Generating Recon Report from Digital Corpora Owl Disk Image

I hope you found this quick summary of some of AIM's most significant updates in 2024 useful! If you want to know about more of the updates to AIM this year, please review the change logs available at https://ArsenalRecon.com/downloads... and as always, good hunting!

Share:

Join the List

Arm yourself with updates about Arsenal tools, training, and research. Our mailing list is double opt-in so you will need to check your email and confirm your subscription before receiving our mailings.