Many Windows®-based disk image mounting solutions mount the contents of disk images as shares or partitions, rather than complete (aka "physical or "real") disks, which limits their usefulness to digital forensics practitioners and others. Arsenal Image Mounter mounts the contents of disk images as complete disks in Windows, allowing users to benefit from disk-specific features like integration with Disk Manager, launching virtual machines (and then bypassing Windows authentication and DPAPI), managing BitLocker-protected volumes, mounting Volume Shadow Copies, and more.
Become more familiar with AIM's powerful functionality by watching our demonstrations.
Arsenal Image Mounter includes both free (Free Mode) and paid (Professional Mode) features.
Mount raw, forensic, and virtual machine disk images as complete (aka "real) disks on Windows
Temporary write support with replayable delta files for all supported disk image formats
Save "physically" mounted objects to various disk image formats
Virtually mount optical images
RAM disk creation with either static or dynamic memory allocation
Command-line interface (CLI) executables
MBR injection, fake disk signatures, removable disk emulation, and much more
Identify (with details), unlock, fully decrypt, and disable/suspend BitLocker-protected volumes
Effortlessly launch virtual machines from disk images
Extremely powerful Windows authentication and DPAPI bypasses within virtual machines
Volume Shadow Copy mounting (standard, with Windows NTFS driver bypass, or as complete disks)
Launch virtual machines directly from Volume Shadow Copies
Windows file system driver bypass (FAT, NTFS, ExFAT, HFS+, Ext2/3/4, etc.)
Exposure of NTFS metadata, slack, and unallocated in Windows file system driver bypass mode
Virtually mount archives and directories
Save disk images with fully-decrypted BitLocker volumes
Attach to actual physical disks (fixed and removable) to leverage virtual machine launching, VSC mounting, etc.
Arsenal Image Mounter’s ability to reliably launch disk images into virtual machines has worked great in our ICAC (Internet Crimes Against Children) cases, especially when using DPAPI bypass to gather valuable website credentials for follow-up investigation and when capturing screenshots from within virtual machines as we prepare for court.
Computer Forensics Technician, Fontana Police Department
“I recently had a CSAM case in which we needed to find a way to decrypt EFS-encrypted files found on an external hard drive. While examining various pieces of electronic evidence, we discovered that the EFS keys were on one of the suspect’s laptops. Using Arsenal Image Mounter, I launched a forensic image obtained from the laptop into a virtual machine, logged in with a Windows password we cracked with Hashcat, attached a forensic image obtained from the external hard drive to the virtual machine, and proceeded to decrypt all the EFS-encrypted files. This entire process with AIM was far easier than the other tool our agency used previously to launch forensic images into virtual machines. I have also had another CSAM case in which AIM’s latest DPAPI bypass functionality allowed us to access a suspect’s Opera-stored website credentials - without knowing the suspect’s Windows password!”
Territorial Police (UK)
Buy an Arsenal license and choose a subscription length (see the increasing discounts!) that works best for you. Want to try AIM first? Download AIM now and use its free functionality, or email sales to evaluate Professional Mode.