Arsenal Image Mounter’s ability to reliably launch disk images into virtual machines has worked great in our ICAC (Internet Crimes Against Children) cases, especially when using DPAPI bypass to gather valuable website credentials for follow-up investigation and when capturing screenshots from within virtual machines as we prepare for court.
Computer Forensics Technician, Fontana Police Department
“I recently had a CSAM case in which we needed to find a way to decrypt EFS-encrypted files found on an external hard drive. While examining various pieces of electronic evidence, we discovered that the EFS keys were on one of the suspect’s laptops. Using Arsenal Image Mounter, I launched a forensic image obtained from the laptop into a virtual machine, logged in with a Windows password we cracked with Hashcat, attached a forensic image obtained from the external hard drive to the virtual machine, and proceeded to decrypt all the EFS-encrypted files. This entire process with AIM was far easier than the other tool our agency used previously to launch forensic images into virtual machines. I have also had another CSAM case in which AIM’s latest DPAPI bypass functionality allowed us to access a suspect’s Opera-stored website credentials - without knowing the suspect’s Windows password!”
Territorial Police (UK)
"Just got a forensic image (E01 format) and was told it was “stripped” so there would be no way to launch it into a virtual machine. Initially I tried using a manual process involving VMware Professional to launch the forensic image into a VM, but it entered Automatic Repair every time Windows started to boot. After enough frustration I got an Arsenal license and used Arsenal Image Mounter to launch a VM immediately after mounting the forensic image... and Windows not only booted with no problems (despite what I had been told earlier) but I was able to use the Windows authentication and DPAPI bypasses to access some very interesting secrets."
Federal Law Enforcement (Romania)
“We had been using the free version of Arsenal Image Mounter just as an alternative for mounting disk images. We recently discovered the Professional Mode’s “Launch VM” capabilities and it’s been a game changer. Anyone who wants to save a few hours tinkering with settings to virtualize evidence should look into AIM. And yes, obviously the Windows authentication and DPAPI bypasses save time (and provide unique capability) too. I’m typically seeing from two to five minutes to launch a disk image (usually E01) into a virtual machine and end up at the Windows Desktop.”
Federal Law Enforcement (United States)
“Arsenal Image Mounter is well worth the subscription price. We have a limited budget for digital forensics tools and I would not give up AIM easily. While you can sometimes launch VMs from disk images using other tools and enough effort, AIM is less fiddly and offers more functionality. With AIM’s ability to bypass Windows authentication and add additional “drives” I am able to quickly recreate live systems. In one important case a suspect had two drives within their computer, the first containing an encryption application and the second containing an encrypted volume. I used AIM to launch the first disk image into a virtual machine, then added the second disk image. I was able to successfully run the installed encryption application from the VM to decrypt the locked volume on the second drive.”
Detective Forrest Cook
Oro Valley Police Department (Arizona)
"After multiple failures over the years launching disk images into virtual machines using a tool popular in law enforcement, I purchased Arsenal Image Mounter... and have found it much more reliable. I used AIM on a recent case to launch a disk image obtained from a suspect's laptop into a virtual machine, using both the Windows authentication and DPAPI bypass features. With just a few clicks I was logged into the suspect's Windows account and viewing his passwords, without having any of his credentials. Using insight I gained from seeing the suspect's passwords, I was able to unlock a BitLocker volume he had on another computer. AIM then made it easy to save the unlocked BitLocker volume to a fully-decrypted disk image. AIM has become a crucial part of my casework."
Cst. Derek Frawley
Forensic Analyst, Kingston Police
"We have encountered situations in which popular digital forensics suites could not unlock BitLocker-protected volumes within forensic images acquired by our filed offices. Since these suites could not unlock the BitLocker-protected volumes, we would restore each forensic image to a new drive, attach a write blocker, allow Windows to unlock the BitLocker-protected volume, and finally re-acquire a forensic image. This workaround added days to our workflow. Arsenal Image Mounter's new BitLocker functionality works great in these situations, as it reliably mounts BitLocker-protected volumes and can save out new disk images with those volumes fully decrypted - making our workflow much more efficient."
United States Army, CID
“I am currently working on a project that requires me to boot a Windows 10 machine in a virtual environment. Knowing that launching VM’s from forensic images has been a nightmare more often than not, I wasn’t surprised when I was unable to get it to boot using my existing tools. A colleague suggested I try the full version of Arsenal Image Mounter, and in 30 seconds (that’s how long it took for the VM to launch), I was logging in with the user credentials. This has got to be the easiest virtual machine set up I have ever encountered – Wow! No requirement for all kinds of dependencies, no need to convert the forensic image to some other format… it really is easy and quick. It is also easy to copy and paste files between the host machine and VM. I have used AIM’s VM launching functionality almost daily over the past week. I’m definitely sold on this product.”
CET, CCE, CFC, Forensic Analyst/Instructor
“I had a disk image obtained from a Windows server’s 4TB RAID array that failed to launch into a virtual machine using my existing tools and methods. I needed the server running in a virtual machine because it hosted an important CRM application. I also had disk images from Windows workstations which ran the CRM client. While I had used Arsenal Image Mounter’s (AIMs) Free Mode functionality in the past, I was unaware of its Professional Mode capabilities until this case. AIM allowed me to mount the server’s disk image in write-temporary mode (so changes to the operating system and applications could be made without altering the original evidence) and launch the virtual machine – with just a few button presses! I finally had the server running in a virtual machine… but I was at a login screen and did not have a password. Not a problem – AIM’s Windows authentication bypass allowed me to get right into the server. In order to get the CRM application working, I also launched the Windows workstations into virtual machines using AIM’s isolated networking (only between virtual machines) option. At this point, the CRM clients on the workstations connected to the CRM on the server and my team was able to access the data we needed for our case. I have since recommended AIM to the other members of my team, and I foresee I’ll be using the virtual machine launching and Windows authentication bypassing functionality a lot more often.”
Digital Forensic Analyst, National Trading Standards eCrime Team (UK)
“I am a long-term user of Arsenal Image Mounter’s Free Mode functionality, finding it to be the most reliable disk image mounting tool available. Recently I had the opportunity to test AIM’s Professional Mode functionality. I was able to successfully mount several randomly selected disk images (E01 format) and launch them smoothly into virtual machines. Launching disk images into virtual machines is an important feature because a digital forensics analyst may need to better understand operating systems and applications from the perspective of end users… and thanks to AIM’s Windows authentication bypass, I was able to login to accounts without knowing passwords! Also during my testing I was surprised at how easy it was to mount Volume Shadow Copies (VSCs), which could then be compared against the active file systems.”
Shafik G. Punja
“I recently had a case where a young man committed suicide and his family wanted to know who he might have been communicating with, particularly within online games. Unfortunately, artifacts that would be relevant in this kind of situation are not easily found using most digital forensics suites. However, I was able to use Arsenal Image Mounter to launch a forensic image of his hard drive into a virtual machine, bypass his Windows password (which the family did not know), and get to his Windows Desktop. Using AIM’s flexible networking options, I was able to connect to the Internet, run his games, and see what he saw – including screen names of the people he talked to. Amazing. I also tried another digital forensics program, with which I had previously been successful in launching VM’s, but it failed to launch a VM from this forensic image… so I will only be using Arsenal Image Mounter in the future.”
Data Forensics Lab, Auburn, WA
“I just wanted to pass along how pleased I am with your products, one of them in particular. For the last few years we kept renewing licenses for another vendor’s tool primarily for the purpose of booting virtual machines from suspect computers. When Windows 10 came out this process became much more complicated, if it even worked at all. Well with Arsenal Image Mounter and a YouTube video from 13Cubed, the process became so easy. We use this process to film the suspect’s computer using a screen video capturing software, as if we were sitting behind their keyboard, and our prosecutors love it. Jurors can now see where the incriminating evidence is in its natural environment instead of having to understand what a file path is. In terms of password bypassing, in a recent case with Windows 10 we tried everything we had to try and break the password/passcode so we could login to the virtual machine. We used both commercial and open source tools with no luck. Arsenal Image Mounter was the only tool that allowed us to bypass the password and it was unbelievable how easy it was.”
Detective, St. John's County Sheriff's Office in Florida
“When it comes to mounting disk images (among other things), it is hard to beat Arsenal Image Mounter. It is stable, fast, and it just works. Should you run into an issue, Mark and his team are always willing to hear about it and they feel worse than you will about any issues found. Arsenal is quick to update and pursue new options (often at great expense to themselves in terms of R&D) that just do not exist anywhere else. Beyond the free version however, AIM provides advanced features such as booting forensic images into virtual machines, password bypasses (even online based accounts! Magic!) and more! In an age where vendors want to produce less and less while charging more and more, Arsenal is a breath of fresh air, because they do just the opposite! They keep making the product better!”
“After many unsuccessful attempts to launch forensic images into virtual machines with a popular digital forensics tool, I decided to give Arsenal Image Mounter a try. I’m very glad I did, because I was able to virtualize forensic images from multiple suspects. AIM also bypassed Microsoft cloud account passwords within the virtual machines, so I was able to take valuable screenshots for the US Attorney. In addition, I have found AIM’s multiple methods of Volume Shadow Copy exporting to be useful.“
ICE/Homeland Security Investigation
“As a former Linux developer, I miss many things under Windows. One of them is the flexible handling of loop devices and disk dumps. Arsenal Image Mounter ports this power to the Microsoft world. You know that “X:” is a virtual thumb drive residing in RAM, but Windows won’t. And that’s only one of the many possibilities with AIM.“
Software Development Engineer, Cascade Microtech
“My experience with Arsenal’s digital forensics tools is super positive. I use Arsenal Image Mounter every time I’m working with forensic images. AIM‘s various options for mounting Volume Shadow Copies is really useful and virtualizing forensic images with a few clicks is amazing!”
REALITY NET System Solutions Founder and SANS Instructor