Free Mode:

General

• Improved Linux LVM (Logical Volume Manager) support

• Improved VHDX support (including support for disk images that do not have a size that is a multiple of internal VHDX chunk size)

• Added support for raw split disk images beginning with .000 (e.g. raw split disk images created by Guymager)

• Fixed default BIOS geometry issue in VMDK library that could result in division by zero exception

• Fixed deadlock issue when a raw image file is formatted with NTFS and the image file is at the same time located on a local NTFS volume

• Fixed memory leak when creating a dynamically allocated RAM disk from a VHD template and loading the template VHD image file failed

• Fixed issue where dismounting a virtual disk that had not yet been fully initialized could result in BSOD

• AIM readme update

Mount Archive

• Improved support for tar archives including new temporary storage dialog related to very large archives (e.g. those containing mobile extractions)

• Improved cache logic for zip archives mounted as file systems

Virtual dd

• Added support for accessing disks as VHDX files

CLI

• Fixed read-only dd conversions and checksums

Professional Mode:

General

• AIM-mounted disks can now be written to other AIM-mounted disks (e.g. mounted via AIM Remote Agent) provided the latter are mounted in write-original mode

• Fixed calculation of target disk size prior to writing an AIM-mounted disk (target disks with identical size as an AIM-mounted disk to be written will now be available in the target dialog)

AIM Remote Agent

• Now supports exposing more than one disk simultaneously (e.g. “1,3” will expose disks 1 and 3 from AIM Remote Agent’s disk list to AIM)

• Now uses IPv6 when no network adapters are found with an IPv4 address

• AIM Remote Agent readme update

Launch VM

• Can now be run from Windows versions that cannot attach physical drives to Hyper-V VMs (e.g. Server 2022 x64 and Windows on Arm)

• Preliminary support for launching Arm on Arm VMs with an emphasis on Qualcomm Snapdragon-powered devices (ARM64 disk images, actual physical disks, and remote disks via AIM Remote Agent launched by AIM on ARM64)

• Launch VM options screen now mentions whether Windows S Mode has been detected

• Windows S Mode will be seamlessly bypassed if AIM Virtual Machine Tools injection is enabled

• Dynamic memory size settings are now activated by default

• Memory size is set to a maximum of 768mb for Windows versions older than Vista

• Updated Azure AD references to Entra ID and improved Entra ID account/domain notation in AIM VM Tools

• Updated Windows versions mentioned in error messages when Hyper-V is not running properly

• Many improvements related to launching Linux into virtual machines

Windows File System Driver Bypass Mode (WFSDBM)

• WFSDBM now supports BitLocker thanks to integration with libbde from Joachim Metz

• BitLocker volumes mounted in WFSDBM can be unlocked with password, recovery key, external key (.BEK), or FVEK/TK key

• VSCs can be mounted within BitLocker volumes mounted in WFSDBM

• Recon Reports can now be run against WFSDBM-mounted disks containing BitLocker volumes

• Improved error message about missing NTFS attribute allocation on partially corrupt NTFS file systems

• Many minor improvements related to missing symbolic links (in some cases) in Btrfs and ext file systems, inaccessible compressed Btrfs files, etc.

CLI

• BitLocker decryption is now supported when converting directly from one disk image file to another (without first mounting the original disk image file and unlocking BitLocker)

• Recon Reports run by AIM CLI now support BitLocker volumes

Recon Report

• Fixed display of hashes and signing certificates for some service files

Arsenal-Image-Mounter-v3.12.331.zip MD5 Hash = c38ded04e62566a91b0afae203ad6158

Free Mode:

General

• Fixed issue with saving to VHDX format that could result in failure

Professional Mode:

Recon Report

• Added listing of non-standard LSA authentication modules and security modules similar to listing of non-standard drivers and services

• Added code signing status, name of signing certificate, and MD5 hash values for non-standard drivers, services, & LSA modules

Launch VM

• Improved handling of corrupt Registry hives

ARM

• Added ability to apply Arsenal license on ARM architecture

Arsenal-Image-Mounter-v3.11.307.zip MD5 Hash = 0e00d083deb29db1f65859afd2551b76

Free Mode:

General

• Write filter driver improvement related to mismatched sector sizes

• Fixed issue with pre-loading smaller image files into larger RAM disks

• aim_ll.exe -a and AIM API now check if virtual disk has immediately disappeared after creation (and returns failure status if it happens)

• Improved error message when write overlay fails (now includes underlying driver's error message)

CLI

• --buffersize option is now also used in image conversions

• New —rescan switch (corresponds to aim_ll.exe --rescan and "Rescan SCSI bus" in AIM GUI)

ARM

• New warning message if AIM is started as x86 or x64 on ARM64

• Improved error messages (and suggestions) when encountering missing libraries or their dependencies

Professional Mode:

Recon Report

• More resilient against corrupt SAM records

• Minor text adjustment

Launch VM

• Fixed error message about bcdboot when launching VMs on ARM64 (Note: launching VMs on ARM64 is not yet fully supported by AIM)

Arsenal-Image-Mounter-v3.11.306.zip MD5 Hash = 32b719c10f7bc98c27a37b5a177cb0e5

Professional Mode:

Launch VM

• Additional AV evasion (details available to customers)

AIM Remote Agent

• Recon Report now available with remote disks mounted in all modes except Windows file system system driver bypass

Arsenal-Image-Mounter-v3.11.304.zip MD5 Hash = e567b5eaf9b0e6fe811432934458d4ab

Professional Mode:

Launch VM

• Enhancements to DPAPI bypass

AIM Remote Agent

• Fixed issue which resulted in Windows file system driver bypass mount mode failure

• Updated AIM Remote Agent readme

Arsenal-Image-Mounter-v3.11.303.zip MD5 Hash = aeae90ba53eb53e04c758d4c9112b067

Professional Mode:

AIM Remote Agent

• Fixed recommended sector size when non-standard

• Updated AIM Remote Agent readme

Arsenal-Image-Mounter-v3.11.300.zip MD5 Hash = ca7ea018ae0d5101a026668524d429a2

Free Mode:

General

• Migrated to .NET 9 resulting in improved performance

• Fixed error message regarding VSCs when mounting archive files

• Driver setup package updated with new driver versions containing various improvements

• Updated GUI readme

PowerShell

• New PowerShell modules for more reliable CLI functionality when using PowerShell versus Command Prompt

• New PowerShell readme

Professional Mode:

AIM Remote Agent

• New AIM Remote Agent, a CLI application for Windows, Linux, and BSD that makes offline disks available to AIM over a network in a read-only manner

• New AIM Remote Agent readme

Launch VM

• Fixed rare issue that caused the attachment of mounted images to running VMs to fail with an exception message

Windows File System Driver Bypass Mode

• Several improvements to ext file systems and added support for ext variants used by some recent Linux distributions

• Fixed rare failure due to size of buffer holding device names by dynamically allocating buffer

Arsenal-Image-Mounter-v3.11.299.zip MD5 Hash = e5609c47e3c7149d76e68b6a5bd81daa

Free Mode:

General

• Support for SMART disk image format (.s01)

• Added warning when Windows Dynamic Disks are encountered

• Updated GUI readme

CLI

• Fixed issue with output file left open when --background option is used from PowerShell, which caused aim_cli command to hang instead of returning to PowerShell prompt

Professional Mode:

Launch VM

• Improved DPAPI bypass (details available to customers)

• New advanced option for EFI boot cleanup which removes possibly incompatible EFI boot files

• Automatic repair is now disabled after a failed boot to make serious troubleshooting more efficient

• Fixed issue related to replay of very large Registry transaction logs

Recon Report

• Improved detection of driver/service files, vendor information, and validation

• Additional driver/service information exposed

• Simplified display of Volume Shadow Copy timestamps

• Fixed issue related to Authentication Vaults on very old Windows versions

• Fixed issue related to Windows Dynamic Disks

Arsenal-Image-Mounter-v3.11.293.zip MD5 Hash = f9cea8016235b77874fc0b1e88a2e61f

Free Mode:

General

• Mount points in AIM’s main screen are now hyperlinks that open in Windows Explorer

• Certain text on AIM’s main screen (Id, Disk device, Signature, volume paths) can now be right-clicked and copied

• Virtually mounting archives is now available in Free Mode (as intended with the previous public build, v3.11.282)

• Licensing system adjusted to work better in multi-user environments with permissions issues

• Fixed open handle leaks that could result (in specific circumstances) in slow BitLocker unlocks, file system checks, and taking disks offline

• Updated GUI and CLI readmes

Professional Mode:

Launch VM

• AIM Virtual Machine Tools now includes separate columns for recovered passwords and PINs (particularly useful when both are recovered for the same account)

Windows File System Driver Bypass Mode

• Now supports “CompactOS” (WOF) compressed system files

• Fixed issue which prevented Windows File System Driver Bypass Mode working with some VMDKs

CLI

• New CLI switches to save disk images with fully-decrypted BitLocker volumes, mount all (rather than particular) VSCs within a partition, and produce a Recon Report

• Fixed bug related to active files being exposed in CLI-mounted VSCs

Arsenal-Image-Mounter-v3.11.290.zip MD5 Hash = 90881e2e993c8bd9de00ff506489a785

Free Mode:

General

• Fixed issue related to possible hang when encountering out-of-memory scenarios in write-temporary mount modes

• “Mount archive file” functionality moved to Free Mode

• New CLI switch “--online” will automatically bring mounted disks and partitions online and assign drive letters as needed, similar to the behavior when using AIM’s GUI

• Updated GUI and CLI readmes

Professional Mode:

Launch VM

• Enhancements to DPAPI bypass

• New Password Sledgehammer database (“Password Sledgehammer - Large”) containing over 23 billion unique password hashes

Mount VSCs

• Adjustment to intra-VSC slack identification which may be relevant when dealing with dirty file systems

CLI

• New CLI switches “--pro --mountfs” will mount partitions or Volume Shadow Copies in Windows File System Driver Bypass Mode

Arsenal-Image-Mounter-v3.11.282.zip MD5 Hash = 4a55b0b6bdbdf0a1ba0dd64d44e9d3aa

Free Mode:

General

• Many performance improvements, including transition to .NET 8 and more parallel input/output when possible

• Updated third-party libraries

• New CLI options for creating new image files, creating new RAM disks, and saving differencing data to RAM

• Improved Help/About licensing information and “Update license” now removes existing license and accepts new license code

• Updated GUI and CLI readmes

Professional Mode:

Launch VM

• New database-driven password attack functionality, including Arsenal’s “Password Sledgehammer” database

• DPAPI bypass drop-down now shows recovered passwords in addition to PINs

• Improvements related to launching VirtualBox disk images

• Improvements related to mouse and keyboard recognition within virtual machines

BitLocker

• Saving disk images with previously BitLocker-protected volumes fully decrypted now skips areas never encrypted and all zeroes

Windows file system driver bypass

• Improvements to mounting when corrupt NTFS metafiles are encountered

• More slack is now exposed in AIM’s [FILE_SLACK] file

• Zero-trim logic is now applied to AIM’s [FILESLACK] and [VSCSLACK] files, and optionally applied to [UNALLOCATED]

Mount VSCs

• New methods of Volume Shadow Copy mounting which use Arsenal’s (rather than Windows) VSC parsing

• Intra-VSC slack is now exposed as [VSC_SLACK] by Arsenal’s VSC parsing when VSCs are mounted in Windows File System Driver Bypass mode

• Fixed bugs which could result in unexpected behavior (hangs) when attemping to remove corrupt VSCs

• Fixed bug related to mounting OVA virtual disk images which would cause VSC mounting to fail

• All VSC timestamps are now displayed in UTC

Attach to Actual Physical Disks

• When acquiring disk images from actual physical disks containing BitLocker-protected volumes, AIM will optionally decrypt those volumes during the acquisition

Arsenal-Image-Mounter-v3.11.279.zip MD5 Hash = 8902856adbcd4df7e3bf6fe26a6713a3

Free Mode:

General

• Fixed "Automatically start Arsenal Image Mounter at logon" option

• Updated readme

Professional Mode:

Launch VM

• Improved recovery of deleted, locked out, disabled, and/or expired Windows accounts

• Boot with last Windows shutdown time can now be adjusted to any valid date and time

• Recovered passwords and PINs always displayed in AIM Virtual Machine Tools (regardless of bypass settings)

• Improved quick DPAPI bypass when encountering partially corrupt data

• Improved identification of open files before launching a VM

• Expanded support for lvm/lvm2 volumes

• Fixed error caused by launching a VM from a disk image not mounted by current AIM session

Windows file system driver bypass

• Expanded support for lvm/lvm2 volumes

Arsenal-Image-Mounter-v3.10.262.zip MD5 Hash = f0e2d3d17ff4abeb419d219e2fcfcb97

Free Mode:

General

• New dialog displayed when write-overlay differencing file is running out of memory or disk space

• New dialog displayed when “AD encryption” is encountered

• Bug fixes related to write-original mounting resulting in read-only behavior and final 64kb being read only in write-temporary mode

• Error message no longer displayed when removing both a Storage Spaces drive and its underlying drives at the same time

• Fixed DiscUtils bug that would result in unexpected characters within NTFS $UpCase metafile when creating a new image

• Differential file selection dialog now remembers previous differential file location and only displays files with .diff extension

• Updated GUI and CLI readmes

BitLocker

• Recovery key backup locations are now displayed in BitLocker status information

Professional Mode:

Launch VM

• New PIN brute force feature (up to six digit numeric), particularly useful when an immediate DPAPI bypass is unavailable

• New nested virtualization and extreme isolation options via new Advanced menu options

• Improved support for DPAPI bypass against Azure AD accounts

• Adjustments to scanning for dirty file systems to make launching VMs more reliable

• Improved handling of disabled or otherwise invalid Active Directory accounts and disabled local accounts

• Logons involving certain Active Directory scenarios no longer require a reboot

• Improved handling of corrupt Registry hives and transaction logs

• New dialog displayed when open files are found on volumes about to be launched into VMs

• Adjustments to make launching newer builds of Windows 11 into VMs more reliable

• Locked BitLocker volumes are now dealt with earlier in the Launch VM workflow

• Adjusted behavior of not selecting Windows authentication bypass against Microsoft cloud accounts

• The "Launch VM" button becomes "Reconnect VM" after VMs are launched in case consoles are unexpectedly disconnected

• Added warnings related to problematic Hyper-V installations

• Fixed problem with frozen disk I/O which would sometimes occur when preparing to launch VMs

• WinDbg support extended to WinDbg from Microsoft Apps

• Improved workflow when DPAPI bypass against multiple accounts is available

• Warning displayed when differential file is being stored in RAM but less than 16GB of free physical memory is found

Mount VSCs

• Added warnings when AIM detects “missing” Volume Shadow Copies after read only or write-temporary mounting

Mount archive

• Added basic support for AFF4 which is particularly useful with AFF4-L images containing loose files

Arsenal-Image-Mounter-v3.10.257.zip MD5 Hash = a1d97d423d34ed69ab34e6d90b30376e

Free Mode:

General

• Increased privileges required to open virtual dd files to limit possible abuse of the virtual dd functionality

• Fixed issues with large numbers of E01 segments which could result in an I/O error, TRIM commands being disabled against sparsely-allocated dd images and dynamically-allocated RAM disks, and dialogs related to missing or incompatible hypervisors

• AIM CLI now includes a “—writable” switch and mounts read-only by default

• Updated GUI and CLI readmes

Arsenal-Image-Mounter-v3.9.239.zip MD5 Hash = f6234004d84696002e6b62e82a1bf8b0

Free Mode:

• Virtual dd: Partitions are now exposed in addition to disks, volumes, and VSCs. This may be useful when inspecting partitions that do not get assigned driver letters and/or contain file systems unrecognized by Windows.

• General: Fixed issue with error displayed after AIM driver install (even though driver was installed successfully), updated GUI readme

Professional Mode:

• Launch VM: Additional AV evasion within the virtual machines launched by AIM

• Windows file system driver bypass: Fixed partition table validation which was too strict, fixed issue with errors related to file systems in one partition impacting recognition of other partitions, and fixed inability to open small files with all-zero content (without any physical cluster allocation) in ext file systems

• Mount archive: Fixed issue with tar header validation being too strict, preventing proper mounting when owner/group names were missing

Arsenal-Image-Mounter_v3.9.235.zip MD5 Hash = 2509558fcea81d606e820b0e1f255f90

Free Mode:

• CLI: Moving towards “—“ rather than “/“ notation for switches (for multi-platform compatiblity), new “—checksum=” switch which calculates MD5, SHA1, and/or SHA256 checksums over disk image contents

• Create new image file: New disk image files are now created with 64kb partition alignment, disk and boot code signatures, and fake (but valid) boot code in MBR and VBR

• General: GUI adjustments related to removing write filter (especially helpful when dealing with Storage Spaces) and actual physical disk information, updated GUI and CLI readmes

Professional Mode:

• VM Launching: Improved support for launching disks containing the latest Windows builds into VMs from forensic workstations with the latest Intel CPUs, DPAPI Bypass expanded by improving automatic logon issue, new error message when conflicting hypervisor environments are detected, improved support for launching the same disk in the same AIM session into a VM more than once

• Windows file system driver bypass: Fixed an issue preventing Windows file system driver bypass mode from being applied to actual physical disks

Free Mode:

• General: Improved user feedback during .NET download, updated readme

Professional Mode:

• Windows file system driver bypass: Fixed bug involving some NTFS attribute lists (resulted in throwing errors)

Professional Mode:

• Windows file system driver bypass: Improved DiscUtils exFAT and FAT/FAT32 handling to prevent attempts at updating last access times for directories when mounted read only and to properly support directories with unusual characters in their names, respectively

Professional Mode:

• Windows file system driver bypass: Fixed issue with NTFS volumes containing 128 sectors per cluster, improved VHD handling

Free Mode:

• Virtual dd: Virtual dd volume itself has been removed from virtual dd functionality

• GUI: New image size and new RAM disk size dialogs improved

• CLI: CLI executable has been returned to the public build

• General: More dependency chains (images mounted within images) are tracked and resolved when parents are unmounted, removed LX01 from all dialogs, updated readme

Professional Mode:

• Windows file system driver bypass: NTFS updates including new volume slack identification (see the [VOLUME SLACK] object at the root of each volume), >64k sector size support, and improved unallocated space identification

Free Mode:

• Virtual dd: Upon enabling the virtual dd function, all available disks, volumes, and VSCs (whether AIM-mounted/attached or not) will be virtually exposed in a new volume as read-only raw disk images with the “.dd” extension. Disks will be exposed by their “PhysicalDrive” number, volumes will be exposed both by their currently assigned Windows drive letter and GUID, and VSCs by their volume GUID and timestamp.

• Physical disks: Mounted disk images can now be written to physical disks with optional free space clearing (TRIM command for TRIM-enabled SSD disks, otherwise traditional clearing)

• GUI: Mount points in AIM’s main screen are now displayed in collapsed details

• Disk Image Mounting: Support for qcow/qcow2 format

• Disk Image Mounting: Disk images which contain only an ISO9660 file system (CD-ROM) are now automatically mounted as virtual CD/DVDs

• Updated readmes

Professional Mode:

• VM Launching: DPAPI Bypass scenarios have been significantly expanded, including from VSCs AIM has launched into VMs as well as scenarios pre-Windows 10

• VM Launching: In some DPAPI-bypass scenarios involving PIN (or non-password) authentication solely (i.e. password authentication was not an additional option), revealing browser-stored credentials could be problematic. AIM now actively resolves this problem.

• VM Launching: In some DPAPI-bypass scenarios, for example involving Windows 8 or 8.1 and Microsoft online accounts, automatic logon does not work which makes AIM’s DPAPI bypass less intuitive. To solve this, AIM VM Tools now displays passwords in clear text so that AIM users can use them for logon with DPAPI fully unlocked.

• VM Launching: New Linux authentication bypass

• VM Launching: Additional boot driver assistance which results (for example) in more successful VM launches directly from VSCs

• VM Launching: The Launch VM option “Boot with last Windows shutdown time” now displays the last shutdown time

• VM Launching: VMs are now created with up to 6 GB RAM if >10 GB is available (previously max 4 GB) and with number of CPU cores set to half the number of physical host CPU cores (previously always 2 CPU cores)

• VSC Mounting: VSC timestamps are more clearly identified in AIM’s main window and folders containing mounted VSCs 

• VSC Mounting: Enhanced performance mounting and accessing VSCs

• Windows File System Driver Bypass: Support for single disk, non-striped, lvm/lvm2 volumes

• Windows File System Driver Bypass: Fixed bugs in DiscUtils NTFS implementation which prevented mounting of some disk images, additional bug fixes in other DiscUtils file system implementations, many optimizations related to both DiscUtils and Dokan 2 resulting in significant performance improvements

Note: To enable Arsenal Image Mounter’s full functionality, the latest .NET 6 is now required.

Free Mode:

• New mount option which stores AIM's differencing file in RAM (not on disk)

• Support for saving "physically" mounted objects to E01 format

• AIM CLI: Added /autodelete switch to automatically delete diff file

• AIM CLI: Added ability to restore disk images to actual physical disks

• Write filter performance improved

• Also minor GUI updates, readme updates, and bug fixes

Professional Mode:

• DPAPI bypass improvements (support for certain multi-user scenarios, etc.) 

• AIM now supports attachment to actual physical disks (fixed or removable) 

• Optionally force offline/hidden VSCs online

• New “Windows file system driver bypass, write original” mount mode

• More antivirus evasion in launched VMs

• Improvements to tar, wim, and zip archive mounting

• Adjustments to AIM driver to eliminate obscure deadlocks

• Workaround for odd behavior from Symantec PGP WDE driver