Arsenal Image Mounter

Arsenal

Image Mounter

Reliable. Powerful. Trusted.

Arsenal Image Mounter Testimonials

AIM Is A Must Have

Arsenal Image Mounter is a “must have.” No other software allows us to perform such quick and easy virtualization of disk images with powerful features like the Windows authentication and DPAPI bypasses, seamlessly attaching VHDs to the virtual machines to run additional tools, etc. Recently we had our first disk image fail to launch into a VM. I contacted Arsenal support and within a couple hours they isolated the problem, which involved a mixture of boot loaders preventing a normal Windows boot in a VM. While this problem was not related directly to AIM, Arsenal support automated the resolution of this problem and it will be incorporated into the next version. In our experience, it is rare to have both software and support this powerful.”

David Raulin
Président, Forentech SAS

Automating Our Workflow

“After requesting that the ability to save disk images with fully-decrypted BitLocker volumes be added to Arsenal Image Mounter’s CLI version, the functionality was quickly added and we were given an internal build to test. The new functionality works great and we are now automating our workflow involving BitLocker decryption and imaging!”


Japanese Police

AIM Just Works

“Virtualizing our forensic images has never been easier with AIM! Compared to other tools, AIM just works and launches pretty much any Windows image in a forensically sound manner. The password cracking and DPAPI bypass feature stand out the most, allowing investigators to access vital artifacts such as browser passwords, the Recycle Bin, and sometimes even cryptocurrency wallets. Being able to sit behind the screen and see exactly what the suspect did is incredibly valuable in our investigations especially for taking screenshots as part of our disclosure process. Coupled with Arsenal’s speedy customer service and technical support, AIM is the superior forensic virtualization solution available to examiners.”

Digital Forensics Specialist
Federal Law Enforcement (Canada)

Uncovered Key Information

“The ability to virtualize and interact with software on a deadbox machine has uncovered key information that could not be retrieved from traditional forensic review software. This capability while still preserving the original forensic image is paramount for any criminal investigation. Using Arsenal Image Mounter, our team was able to reproduce exactly what the user had open at the time of seizure. There are often challenges in presenting evidence and choosing the right medium to present findings on a device, using this software as a presentable visual element for court proceedings provides great effect.”

Cybercrime Investigator
Federal Law Enforcement (Canada)

More People Should Be Aware

“Just wanted to share a great experience with Arsenal Image Mounter (AIM). I had a Windows 10 machine, an encrypted MacBook Pro and also an unsupported PIN-locked iPhone. Passwords and PINs weren’t available so I could only access the Windows 10 image and I could see some stored Edge passwords that were showing “encrypted” in AXIOM. I vaguely remembered reading a thread in the Digital Forensics Discord about Arsenal’s features to view the passwords by running the image as a VM, so I found that thread and then tried AIM. Sure enough, AIM bruteforced the Windows account PIN in under 8 seconds which got me access to the passwords. One password unlocked the Mac, and the Windows PIN unlocked the phone! Just thought it was awesome and more people should be aware of the tool if they’re not using it already!”

Sam
Law Enforcement (UK)

Worked Flawlessly

"Arsenal Image Mounter’s ability to mount a disk image and launch it into a VM has worked flawlessly since our department purchased the software over the past year. Being able to interact with a subject’s Windows environment as the user would have has helped our non-technical investigation teams gain a better understanding of a subject’s lifestyle, interests, and technical ability. In one such case, with appropriate legal approval, we used AIM to mount an image, launch a VM, expose it to the Internet, and connect to a service with the subject’s previously logged-in and authenticated application in order to secure and obtain over 1TB of CSAE material. Mark and his team have always been very responsive to any queries or technical issues faced along the way."

Dan
Law Enforcement (UK)

Significantly Enhanced My Ability

"The advanced features provided by Arsenal Image Mounter have significantly enhanced my ability to retrieve usernames and passwords stored by web browsers... and with remarkable speed. The new PIN brute force that works with Hello PINs means I no longer have to spend time manually extracting and cracking to get access to secrets, and within seconds I can be logged into a virtual machine with DPAPI-protected data fully unlocked. AIM’s latest functionality helps us access additional exhibits sooner, for example by using recovered PINs and other secrets against locked mobile phones."


Law Enforcement (UK)

Quick Access To Suspect’s Secrets

"Arsenal Image Mounter’s new PIN brute force allowed us to get quick access to a suspect’s secrets in a CSAM investigation. Integrating AIM into your workflow with forensic images will not only allow for quick-and-easy access to Windows through the eyes of a normal user, but provide access to encrypted data that would be much more difficult to expose with traditional dead box analysis."

Detective John Haynes
Analyst / Digital Forensics, County Law Enforcement

Gather Valuable Website Credentials

"Arsenal Image Mounter’s ability to reliably launch disk images into virtual machines has worked great in our ICAC (Internet Crimes Against Children) cases, especially when using DPAPI bypass to gather valuable website credentials for follow-up investigation and when capturing screenshots from within virtual machines as we prepare for court."

Brandon Canary
Computer Forensics Technician, Fontana Police Department

AIM Was Far Easier

“I recently had a CSAM case in which we needed to find a way to decrypt EFS-encrypted files found on an external hard drive. While examining various pieces of electronic evidence, we discovered that the EFS keys were on one of the suspect’s laptops. Using Arsenal Image Mounter, I launched a forensic image obtained from the laptop into a virtual machine, logged in with a Windows password we cracked with Hashcat, attached a forensic image obtained from the external hard drive to the virtual machine, and proceeded to decrypt all the EFS-encrypted files. This entire process with AIM was far easier than the other tool our agency used previously to launch forensic images into virtual machines. I have also had another CSAM case in which AIM’s latest DPAPI bypass functionality allowed us to access a suspect’s Opera-stored website credentials - without knowing the suspect’s Windows password!”

Territorial Police (UK)

Access Some Very Interesting Secrets

"Just got a forensic image (E01 format) and was told it was “stripped” so there would be no way to launch it into a virtual machine. Initially I tried using a manual process involving VMware Professional to launch the forensic image into a VM, but it entered Automatic Repair every time Windows started to boot. After enough frustration I got an Arsenal license and used Arsenal Image Mounter to launch a VM immediately after mounting the forensic image... and Windows not only booted with no problems (despite what I had been told earlier) but I was able to use the Windows authentication and DPAPI bypasses to access some very interesting secrets."

Federal Law Enforcement (Romania)

It's Been A Game Changer

“We had been using the free version of Arsenal Image Mounter just as an alternative for mounting disk images. We recently discovered the Professional Mode’s “Launch VM” capabilities and it’s been a game changer. Anyone who wants to save a few hours tinkering with settings to virtualize evidence should look into AIM. And yes, obviously the Windows authentication and DPAPI bypasses save time (and provide unique capability) too. I’m typically seeing from two to five minutes to launch a disk image (usually E01) into a virtual machine and end up at the Windows Desktop.”

Federal Law Enforcement (United States)

Quickly Recreate Live Systems

Arsenal Image Mounter is well worth the subscription price. We have a limited budget for digital forensics tools and I would not give up AIM easily. While you can sometimes launch VMs from disk images using other tools and enough effort, AIM is less fiddly and offers more functionality. With AIM’s ability to bypass Windows authentication and add additional “drives” I am able to quickly recreate live systems. In one important case a suspect had two drives within their computer, the first containing an encryption application and the second containing an encrypted volume. I used AIM to launch the first disk image into a virtual machine, then added the second disk image. I was able to successfully run the installed encryption application from the VM to decrypt the locked volume on the second drive.”

Detective Forrest Cook
Oro Valley Police Department (Arizona)

No More Failures Launching VMs

"After multiple failures over the years launching disk images into virtual machines using a tool popular in law enforcement, I purchased Arsenal Image Mounter... and have found it much more reliable. I used AIM on a recent case to launch a disk image obtained from a suspect's laptop into a virtual machine, using both the Windows authentication and DPAPI bypass features. With just a few clicks I was logged into the suspect's Windows account and viewing his passwords, without having any of his credentials. Using insight I gained from seeing the suspect's passwords, I was able to unlock a BitLocker volume he had on another computer. AIM then made it easy to save the unlocked BitLocker volume to a fully-decrypted disk image. AIM has become a crucial part of my casework."

Cst. Derek Frawley
Forensic Analyst, Kingston Police

More Reliable BitLocker Access

"We have encountered situations in which popular digital forensics suites could not unlock BitLocker-protected volumes within forensic images acquired by our field offices. Since these suites could not unlock the BitLocker-protected volumes, we would restore each forensic image to a new drive, attach a write blocker, allow Windows to unlock the BitLocker-protected volume, and finally re-acquire a forensic image. This workaround added days to our workflow. Arsenal Image Mounter's new BitLocker functionality works great in these situations, as it reliably mounts BitLocker-protected volumes and can save out new disk images with those volumes fully decrypted - making our workflow much more efficient."

Mike Godfrey
United States Army, CID

Launching VMs With Other Tools Is A Nightmare

“I am currently working on a project that requires me to boot a Windows 10 machine in a virtual environment. Knowing that launching VM’s from forensic images has been a nightmare more often than not, I wasn’t surprised when I was unable to get it to boot using my existing tools. A colleague suggested I try the full version of Arsenal Image Mounter, and in 30 seconds (that’s how long it took for the VM to launch), I was logging in with the user credentials. This has got to be the easiest virtual machine set up I have ever encountered – Wow! No requirement for all kinds of dependencies, no need to convert the forensic image to some other format… it really is easy and quick. It is also easy to copy and paste files between the host machine and VM. I have used AIM’s VM launching functionality almost daily over the past week. I’m definitely sold on this product.”

Greg Bembridge
CET, CCE, CFC, Forensic Analyst/Instructor

Client/Server Disk Images Launched Into VMs

“I had a disk image obtained from a Windows server’s 4TB RAID array that failed to launch into a virtual machine using my existing tools and methods. I needed the server running in a virtual machine because it hosted an important CRM application. I also had disk images from Windows workstations which ran the CRM client. While I had used Arsenal Image Mounter’s (AIMs) Free Mode functionality in the past, I was unaware of its Professional Mode capabilities until this case. AIM allowed me to mount the server’s disk image in write-temporary mode (so changes to the operating system and applications could be made without altering the original evidence) and launch the virtual machine – with just a few button presses! I finally had the server running in a virtual machine… but I was at a login screen and did not have a password. Not a problem – AIM’s Windows authentication bypass allowed me to get right into the server. In order to get the CRM application working, I also launched the Windows workstations into virtual machines using AIM’s isolated networking (only between virtual machines) option. At this point, the CRM clients on the workstations connected to the CRM on the server and my team was able to access the data we needed for our case. I have since recommended AIM to the other members of my team, and I foresee I’ll be using the virtual machine launching and Windows authentication bypassing functionality a lot more often.”

Allan McNamara
Digital Forensic Analyst, National Trading Standards eCrime Team (UK)

Logging Into Windows Without Passwords

“I am a long-term user of Arsenal Image Mounter’s Free Mode functionality, finding it to be the most reliable disk image mounting tool available. Recently I had the opportunity to test AIM’s Professional Mode functionality. I was able to successfully mount several randomly selected disk images (E01 format) and launch them smoothly into virtual machines. Launching disk images into virtual machines is an important feature because a digital forensics analyst may need to better understand operating systems and applications from the perspective of end users… and thanks to AIM’s Windows authentication bypass, I was able to login to accounts without knowing passwords! Also during my testing I was surprised at how easy it was to mount Volume Shadow Copies (VSCs), which could then be compared against the active file systems.”

Shafik G. Punja
DFIR Examiner/Analyst

Disk Image Launched Into VM In Suicide Case

“I recently had a case where a young man committed suicide and his family wanted to know who he might have been communicating with, particularly within online games. Unfortunately, artifacts that would be relevant in this kind of situation are not easily found using most digital forensics suites. However, I was able to use Arsenal Image Mounter to launch a forensic image of his hard drive into a virtual machine, bypass his Windows password (which the family did not know), and get to his Windows Desktop. Using AIM’s flexible networking options, I was able to connect to the Internet, run his games, and see what he saw – including screen names of the people he talked to. Amazing. I also tried another digital forensics program, with which I had previously been successful in launching VM’s, but it failed to launch a VM from this forensic image… so I will only be using Arsenal Image Mounter in the future.”

Randall Karstetter
Data Forensics Lab, Auburn, WA

Prosecutors Love VMs

“I just wanted to pass along how pleased I am with your products, one of them in particular. For the last few years we kept renewing licenses for another vendor’s tool primarily for the purpose of booting virtual machines from suspect computers. When Windows 10 came out this process became much more complicated, if it even worked at all. Well with Arsenal Image Mounter and a YouTube video from 13Cubed, the process became so easy. We use this process to film the suspect’s computer using a screen video capturing software, as if we were sitting behind their keyboard, and our prosecutors love it. Jurors can now see where the incriminating evidence is in its natural environment instead of having to understand what a file path is. In terms of password bypassing, in a recent case with Windows 10 we tried everything we had to try and break the password/passcode so we could login to the virtual machine. We used both commercial and open source tools with no luck. Arsenal Image Mounter was the only tool that allowed us to bypass the password and it was unbelievable how easy it was.”

David Causey
Detective, St. John's County Sheriff's Office in Florida

Stable, Fast, And It Just Works

“When it comes to mounting disk images (among other things), it is hard to beat Arsenal Image Mounter. It is stable, fast, and it just works. Should you run into an issue, Mark and his team are always willing to hear about it and they feel worse than you will about any issues found. Arsenal is quick to update and pursue new options (often at great expense to themselves in terms of R&D) that just do not exist anywhere else. Beyond the free version however, AIM provides advanced features such as booting forensic images into virtual machines, password bypasses (even online based accounts! Magic!) and more! In an age where vendors want to produce less and less while charging more and more, Arsenal is a breath of fresh air, because they do just the opposite! They keep making the product better!”

Eric Zimmerman

Popular Tool Fails To Launch VMs

“After many unsuccessful attempts to launch forensic images into virtual machines with a popular digital forensics tool, I decided to give Arsenal Image Mounter a try. I’m very glad I did, because I was able to virtualize forensic images from multiple suspects. AIM also bypassed Microsoft cloud account passwords within the virtual machines, so I was able to take valuable screenshots for the US Attorney. In addition, I have found AIM’s multiple methods of Volume Shadow Copy exporting to be useful.“

ICE/Homeland Security Investigation

One Of The Many Possibilities

“As a former Linux developer, I miss many things under Windows. One of them is the flexible handling of loop devices and disk dumps. Arsenal Image Mounter ports this power to the Microsoft world. You know that “X:” is a virtual thumb drive residing in RAM, but Windows won’t. And that’s only one of the many possibilities with AIM.“

Peter Schneider
Software Development Engineer, Cascade Microtech

Multiple Methods Of Mounting VSCs

“My experience with Arsenal’s digital forensics tools is super positive. I use Arsenal Image Mounter every time I’m working with forensic images. AIM‘s various options for mounting Volume Shadow Copies is really useful and virtualizing forensic images with a few clicks is amazing!”

Mattia Epifani
REALITY NET System Solutions Founder and SANS Instructor