v3.11.293
Released: 06-26-2024
Free Mode:
General
CLI
Professional Mode:
Launch VM
Improved DPAPI bypass (details available to customers)
New advanced option for EFI boot cleanup which removes possibly incompatible EFI boot files
Automatic repair is now disabled after a failed boot to make serious troubleshooting more efficient
Fixed issue related to replay of very large Registry transaction logs
Recon Report
Improved detection of driver/service files, vendor information, and validation
Additional driver/service information exposed
Simplified display of Volume Shadow Copy timestamps
Fixed issue related to Authentication Vaults on very old Windows versions
Fixed issue related to Windows Dynamic Disks
Arsenal-Image-Mounter-v3.11.293.zip MD5 Hash = f9cea8016235b77874fc0b1e88a2e61f
v3.11.290
Released: 05-10-2024
Free Mode:
General
Mount points in AIM’s main screen are now hyperlinks that open in Windows Explorer
Certain text on AIM’s main screen (Id, Disk device, Signature, volume paths) can now be right-clicked and copied
Virtually mounting archives is now available in Free Mode (as intended with the previous public build, v3.11.282)
Licensing system adjusted to work better in multi-user environments with permissions issues
Fixed open handle leaks that could result (in specific circumstances) in slow BitLocker unlocks, file system checks, and taking disks offline
Updated GUI and CLI readmes
Professional Mode:
Launch VM
Windows File System Driver Bypass Mode
CLI
New CLI switches to save disk images with fully-decrypted BitLocker volumes, mount all (rather than particular) VSCs within a partition, and produce a Recon Report
Fixed bug related to active files being exposed in CLI-mounted VSCs
Arsenal-Image-Mounter-v3.11.290.zip MD5 Hash = 90881e2e993c8bd9de00ff506489a785
v3.11.282
Released: 03-28-2024
Free Mode:
General
Fixed issue related to possible hang when encountering out-of-memory scenarios in write-temporary mount modes
“Mount archive file” functionality moved to Free Mode
New CLI switch “--online” will automatically bring mounted disks and partitions online and assign drive letters as needed, similar to the behavior when using AIM’s GUI
Updated GUI and CLI readmes
Professional Mode:
Launch VM
Mount VSCs
CLI
Arsenal-Image-Mounter-v3.11.282.zip MD5 Hash = 4a55b0b6bdbdf0a1ba0dd64d44e9d3aa
v3.11.279
Released: 01-03-2024
Free Mode:
General
Many performance improvements, including transition to .NET 8 and more parallel input/output when possible
Updated third-party libraries
New CLI options for creating new image files, creating new RAM disks, and saving differencing data to RAM
Improved Help/About licensing information and “Update license” now removes existing license and accepts new license code
Updated GUI and CLI readmes
Professional Mode:
Launch VM
New database-driven password attack functionality, including Arsenal’s “Password Sledgehammer” database
DPAPI bypass drop-down now shows recovered passwords in addition to PINs
Improvements related to launching VirtualBox disk images
Improvements related to mouse and keyboard recognition within virtual machines
BitLocker
Windows file system driver bypass
More slack is now exposed in AIM’s [FILE_SLACK] file
Zero-trim logic is now applied to AIM’s [FILESLACK] and [VSCSLACK] files, and optionally applied to [UNALLOCATED]
Mount VSCs
New methods of Volume Shadow Copy mounting which use Arsenal’s (rather than Windows) VSC parsing
Intra-VSC slack is now exposed as [VSC_SLACK] by Arsenal’s VSC parsing when VSCs are mounted in Windows File System Driver Bypass mode
Fixed bugs which could result in unexpected behavior (hangs) when attemping to remove corrupt VSCs
Fixed bug related to mounting OVA virtual disk images which would cause VSC mounting to fail
All VSC timestamps are now displayed in UTC
Attach to Actual Physical Disks
Arsenal-Image-Mounter-v3.11.279.zip MD5 Hash = 8902856adbcd4df7e3bf6fe26a6713a3
v3.10.262
Released: 09-05-2023
Free Mode:
General
Professional Mode:
Launch VM
Improved recovery of deleted, locked out, disabled, and/or expired Windows accounts
Boot with last Windows shutdown time can now be adjusted to any valid date and time
Recovered passwords and PINs always displayed in AIM Virtual Machine Tools (regardless of bypass settings)
Improved quick DPAPI bypass when encountering partially corrupt data
Improved identification of open files before launching a VM
Expanded support for lvm/lvm2 volumes
Fixed error caused by launching a VM from a disk image not mounted by current AIM session
Windows file system driver bypass
Arsenal-Image-Mounter-v3.10.262.zip MD5 Hash = f0e2d3d17ff4abeb419d219e2fcfcb97
v3.10.257
Released: 07-05-2023
Free Mode:
General
New dialog displayed when write-overlay differencing file is running out of memory or disk space
New dialog displayed when “AD encryption” is encountered
Bug fixes related to write-original mounting resulting in read-only behavior and final 64kb being read only in write-temporary mode
Error message no longer displayed when removing both a Storage Spaces drive and its underlying drives at the same time
Fixed DiscUtils bug that would result in unexpected characters within NTFS $UpCase metafile when creating a new image
Differential file selection dialog now remembers previous differential file location and only displays files with .diff extension
Updated GUI and CLI readmes
BitLocker
Professional Mode:
Launch VM
New PIN brute force feature (up to six digit numeric), particularly useful when an immediate DPAPI bypass is unavailable
New nested virtualization and extreme isolation options via new Advanced menu options
Improved support for DPAPI bypass against Azure AD accounts
Adjustments to scanning for dirty file systems to make launching VMs more reliable
Improved handling of disabled or otherwise invalid Active Directory accounts and disabled local accounts
Logons involving certain Active Directory scenarios no longer require a reboot
Improved handling of corrupt Registry hives and transaction logs
New dialog displayed when open files are found on volumes about to be launched into VMs
Adjustments to make launching newer builds of Windows 11 into VMs more reliable
Locked BitLocker volumes are now dealt with earlier in the Launch VM workflow
Adjusted behavior of not selecting Windows authentication bypass against Microsoft cloud accounts
The "Launch VM" button becomes "Reconnect VM" after VMs are launched in case consoles are unexpectedly disconnected
Added warnings related to problematic Hyper-V installations
Fixed problem with frozen disk I/O which would sometimes occur when preparing to launch VMs
WinDbg support extended to WinDbg from Microsoft Apps
Improved workflow when DPAPI bypass against multiple accounts is available
Warning displayed when differential file is being stored in RAM but less than 16GB of free physical memory is found
Mount VSCs
Mount archive
Arsenal-Image-Mounter-v3.10.257.zip MD5 Hash = a1d97d423d34ed69ab34e6d90b30376e
v3.9.239
Released: 02-28-2023
Free Mode:
General
Increased privileges required to open virtual dd files to limit possible abuse of the virtual dd functionality
Fixed issues with large numbers of E01 segments which could result in an I/O error, TRIM commands being disabled against sparsely-allocated dd images and dynamically-allocated RAM disks, and dialogs related to missing or incompatible hypervisors
AIM CLI now includes a “—writable” switch and mounts read-only by default
Updated GUI and CLI readmes
Arsenal-Image-Mounter-v3.9.239.zip MD5 Hash = f6234004d84696002e6b62e82a1bf8b0
v3.9.235
Released: 01-20-2023
Free Mode:
Virtual dd: Partitions are now exposed in addition to disks, volumes, and VSCs. This may be useful when inspecting partitions that do not get assigned driver letters and/or contain file systems unrecognized by Windows.
General: Fixed issue with error displayed after AIM driver install (even though driver was installed successfully), updated GUI readme
Professional Mode:
Launch VM: Additional AV evasion within the virtual machines launched by AIM
Windows file system driver bypass: Fixed partition table validation which was too strict, fixed issue with errors related to file systems in one partition impacting recognition of other partitions, and fixed inability to open small files with all-zero content (without any physical cluster allocation) in ext file systems
Mount archive: Fixed issue with tar header validation being too strict, preventing proper mounting when owner/group names were missing
Arsenal-Image-Mounter_v3.9.235.zip MD5 Hash = 2509558fcea81d606e820b0e1f255f90
v3.9.218
Released: 07-28-2022
Free Mode:
Virtual dd: Upon enabling the virtual dd function, all available disks, volumes, and VSCs (whether AIM-mounted/attached or not) will be virtually exposed in a new volume as read-only raw disk images with the “.dd” extension. Disks will be exposed by their “PhysicalDrive” number, volumes will be exposed both by their currently assigned Windows drive letter and GUID, and VSCs by their volume GUID and timestamp.
Physical disks: Mounted disk images can now be written to physical disks with optional free space clearing (TRIM command for TRIM-enabled SSD disks, otherwise traditional clearing)
GUI: Mount points in AIM’s main screen are now displayed in collapsed details
Disk Image Mounting: Support for qcow/qcow2 format
Disk Image Mounting: Disk images which contain only an ISO9660 file system (CD-ROM) are now automatically mounted as virtual CD/DVDs
Updated readmes
Professional Mode:
VM Launching: DPAPI Bypass scenarios have been significantly expanded, including from VSCs AIM has launched into VMs as well as scenarios pre-Windows 10
VM Launching: In some DPAPI-bypass scenarios involving PIN (or non-password) authentication solely (i.e. password authentication was not an additional option), revealing browser-stored credentials could be problematic. AIM now actively resolves this problem.
VM Launching: In some DPAPI-bypass scenarios, for example involving Windows 8 or 8.1 and Microsoft online accounts, automatic logon does not work which makes AIM’s DPAPI bypass less intuitive. To solve this, AIM VM Tools now displays passwords in clear text so that AIM users can use them for logon with DPAPI fully unlocked.
VM Launching: New Linux authentication bypass
VM Launching: Additional boot driver assistance which results (for example) in more successful VM launches directly from VSCs
VM Launching: The Launch VM option “Boot with last Windows shutdown time” now displays the last shutdown time
VM Launching: VMs are now created with up to 6 GB RAM if >10 GB is available (previously max 4 GB) and with number of CPU cores set to half the number of physical host CPU cores (previously always 2 CPU cores)
VSC Mounting: VSC timestamps are more clearly identified in AIM’s main window and folders containing mounted VSCs
VSC Mounting: Enhanced performance mounting and accessing VSCs
Windows File System Driver Bypass: Support for single disk, non-striped, lvm/lvm2 volumes
Windows File System Driver Bypass: Fixed bugs in DiscUtils NTFS implementation which prevented mounting of some disk images, additional bug fixes in other DiscUtils file system implementations, many optimizations related to both DiscUtils and Dokan 2 resulting in significant performance improvements
Note: To enable Arsenal Image Mounter’s full functionality, the latest .NET 6 is now required.
