“Arsenal Image Mounter is a “must have.” No other software allows us to perform such quick and easy virtualization of disk images with powerful features like the Windows authentication and DPAPI bypasses, seamlessly attaching VHDs to the virtual machines to run additional tools, etc. Recently we had our first disk image fail to launch into a VM. I contacted Arsenal support and within a couple hours they isolated the problem, which involved a mixture of boot loaders preventing a normal Windows boot in a VM. While this problem was not related directly to AIM, Arsenal support automated the resolution of this problem and it will be incorporated into the next version. In our experience, it is rare to have both software and support this powerful.”
David Raulin
Président, Forentech SAS
“After requesting that the ability to save disk images with fully-decrypted BitLocker volumes be added to Arsenal Image Mounter’s CLI version, the functionality was quickly added and we were given an internal build to test. The new functionality works great and we are now automating our workflow involving BitLocker decryption and imaging!”
Japanese Police
“Virtualizing our forensic images has never been easier with AIM! Compared to other tools, AIM just works and launches pretty much any Windows image in a forensically sound manner. The password cracking and DPAPI bypass feature stand out the most, allowing investigators to access vital artifacts such as browser passwords, the Recycle Bin, and sometimes even cryptocurrency wallets. Being able to sit behind the screen and see exactly what the suspect did is incredibly valuable in our investigations especially for taking screenshots as part of our disclosure process. Coupled with Arsenal’s speedy customer service and technical support, AIM is the superior forensic virtualization solution available to examiners.”
Digital Forensics Specialist
Federal Law Enforcement (Canada)
“The ability to virtualize and interact with software on a deadbox machine has uncovered key information that could not be retrieved from traditional forensic review software. This capability while still preserving the original forensic image is paramount for any criminal investigation. Using Arsenal Image Mounter, our team was able to reproduce exactly what the user had open at the time of seizure. There are often challenges in presenting evidence and choosing the right medium to present findings on a device, using this software as a presentable visual element for court proceedings provides great effect.”
Cybercrime Investigator
Federal Law Enforcement (Canada)
“Just wanted to share a great experience with Arsenal Image Mounter (AIM). I had a Windows 10 machine, an encrypted MacBook Pro and also an unsupported PIN-locked iPhone. Passwords and PINs weren’t available so I could only access the Windows 10 image and I could see some stored Edge passwords that were showing “encrypted” in AXIOM. I vaguely remembered reading a thread in the Digital Forensics Discord about Arsenal’s features to view the passwords by running the image as a VM, so I found that thread and then tried AIM. Sure enough, AIM bruteforced the Windows account PIN in under 8 seconds which got me access to the passwords. One password unlocked the Mac, and the Windows PIN unlocked the phone! Just thought it was awesome and more people should be aware of the tool if they’re not using it already!”
Sam
Law Enforcement (UK)
"Arsenal Image Mounter’s ability to mount a disk image and launch it into a VM has worked flawlessly since our department purchased the software over the past year. Being able to interact with a subject’s Windows environment as the user would have has helped our non-technical investigation teams gain a better understanding of a subject’s lifestyle, interests, and technical ability. In one such case, with appropriate legal approval, we used AIM to mount an image, launch a VM, expose it to the Internet, and connect to a service with the subject’s previously logged-in and authenticated application in order to secure and obtain over 1TB of CSAE material. Mark and his team have always been very responsive to any queries or technical issues faced along the way."
Dan
Law Enforcement (UK)
"The advanced features provided by Arsenal Image Mounter have significantly enhanced my ability to retrieve usernames and passwords stored by web browsers... and with remarkable speed. The new PIN brute force that works with Hello PINs means I no longer have to spend time manually extracting and cracking to get access to secrets, and within seconds I can be logged into a virtual machine with DPAPI-protected data fully unlocked. AIM’s latest functionality helps us access additional exhibits sooner, for example by using recovered PINs and other secrets against locked mobile phones."
Law Enforcement (UK)
"Arsenal Image Mounter’s new PIN brute force allowed us to get quick access to a suspect’s secrets in a CSAM investigation. Integrating AIM into your workflow with forensic images will not only allow for quick-and-easy access to Windows through the eyes of a normal user, but provide access to encrypted data that would be much more difficult to expose with traditional dead box analysis."
Detective John Haynes
Analyst / Digital Forensics, County Law Enforcement
"Arsenal Image Mounter’s ability to reliably launch disk images into virtual machines has worked great in our ICAC (Internet Crimes Against Children) cases, especially when using DPAPI bypass to gather valuable website credentials for follow-up investigation and when capturing screenshots from within virtual machines as we prepare for court."
Brandon Canary
Computer Forensics Technician, Fontana Police Department
“I recently had a CSAM case in which we needed to find a way to decrypt EFS-encrypted files found on an external hard drive. While examining various pieces of electronic evidence, we discovered that the EFS keys were on one of the suspect’s laptops. Using Arsenal Image Mounter, I launched a forensic image obtained from the laptop into a virtual machine, logged in with a Windows password we cracked with Hashcat, attached a forensic image obtained from the external hard drive to the virtual machine, and proceeded to decrypt all the EFS-encrypted files. This entire process with AIM was far easier than the other tool our agency used previously to launch forensic images into virtual machines. I have also had another CSAM case in which AIM’s latest DPAPI bypass functionality allowed us to access a suspect’s Opera-stored website credentials - without knowing the suspect’s Windows password!”
Territorial Police (UK)
"Just got a forensic image (E01 format) and was told it was “stripped” so there would be no way to launch it into a virtual machine. Initially I tried using a manual process involving VMware Professional to launch the forensic image into a VM, but it entered Automatic Repair every time Windows started to boot. After enough frustration I got an Arsenal license and used Arsenal Image Mounter to launch a VM immediately after mounting the forensic image... and Windows not only booted with no problems (despite what I had been told earlier) but I was able to use the Windows authentication and DPAPI bypasses to access some very interesting secrets."
Federal Law Enforcement (Romania)
“We had been using the free version of Arsenal Image Mounter just as an alternative for mounting disk images. We recently discovered the Professional Mode’s “Launch VM” capabilities and it’s been a game changer. Anyone who wants to save a few hours tinkering with settings to virtualize evidence should look into AIM. And yes, obviously the Windows authentication and DPAPI bypasses save time (and provide unique capability) too. I’m typically seeing from two to five minutes to launch a disk image (usually E01) into a virtual machine and end up at the Windows Desktop.”
Federal Law Enforcement (United States)
“Arsenal Image Mounter is well worth the subscription price. We have a limited budget for digital forensics tools and I would not give up AIM easily. While you can sometimes launch VMs from disk images using other tools and enough effort, AIM is less fiddly and offers more functionality. With AIM’s ability to bypass Windows authentication and add additional “drives” I am able to quickly recreate live systems. In one important case a suspect had two drives within their computer, the first containing an encryption application and the second containing an encrypted volume. I used AIM to launch the first disk image into a virtual machine, then added the second disk image. I was able to successfully run the installed encryption application from the VM to decrypt the locked volume on the second drive.”
Detective Forrest Cook
Oro Valley Police Department (Arizona)
"After multiple failures over the years launching disk images into virtual machines using a tool popular in law enforcement, I purchased Arsenal Image Mounter... and have found it much more reliable. I used AIM on a recent case to launch a disk image obtained from a suspect's laptop into a virtual machine, using both the Windows authentication and DPAPI bypass features. With just a few clicks I was logged into the suspect's Windows account and viewing his passwords, without having any of his credentials. Using insight I gained from seeing the suspect's passwords, I was able to unlock a BitLocker volume he had on another computer. AIM then made it easy to save the unlocked BitLocker volume to a fully-decrypted disk image. AIM has become a crucial part of my casework."
Cst. Derek Frawley
Forensic Analyst, Kingston Police
"We have encountered situations in which popular digital forensics suites could not unlock BitLocker-protected volumes within forensic images acquired by our field offices. Since these suites could not unlock the BitLocker-protected volumes, we would restore each forensic image to a new drive, attach a write blocker, allow Windows to unlock the BitLocker-protected volume, and finally re-acquire a forensic image. This workaround added days to our workflow. Arsenal Image Mounter's new BitLocker functionality works great in these situations, as it reliably mounts BitLocker-protected volumes and can save out new disk images with those volumes fully decrypted - making our workflow much more efficient."
Mike Godfrey
United States Army, CID
“I am currently working on a project that requires me to boot a Windows 10 machine in a virtual environment. Knowing that launching VM’s from forensic images has been a nightmare more often than not, I wasn’t surprised when I was unable to get it to boot using my existing tools. A colleague suggested I try the full version of Arsenal Image Mounter, and in 30 seconds (that’s how long it took for the VM to launch), I was logging in with the user credentials. This has got to be the easiest virtual machine set up I have ever encountered – Wow! No requirement for all kinds of dependencies, no need to convert the forensic image to some other format… it really is easy and quick. It is also easy to copy and paste files between the host machine and VM. I have used AIM’s VM launching functionality almost daily over the past week. I’m definitely sold on this product.”
Greg Bembridge
CET, CCE, CFC, Forensic Analyst/Instructor
“I had a disk image obtained from a Windows server’s 4TB RAID array that failed to launch into a virtual machine using my existing tools and methods. I needed the server running in a virtual machine because it hosted an important CRM application. I also had disk images from Windows workstations which ran the CRM client. While I had used Arsenal Image Mounter’s (AIMs) Free Mode functionality in the past, I was unaware of its Professional Mode capabilities until this case. AIM allowed me to mount the server’s disk image in write-temporary mode (so changes to the operating system and applications could be made without altering the original evidence) and launch the virtual machine – with just a few button presses! I finally had the server running in a virtual machine… but I was at a login screen and did not have a password. Not a problem – AIM’s Windows authentication bypass allowed me to get right into the server. In order to get the CRM application working, I also launched the Windows workstations into virtual machines using AIM’s isolated networking (only between virtual machines) option. At this point, the CRM clients on the workstations connected to the CRM on the server and my team was able to access the data we needed for our case. I have since recommended AIM to the other members of my team, and I foresee I’ll be using the virtual machine launching and Windows authentication bypassing functionality a lot more often.”
Allan McNamara
Digital Forensic Analyst, National Trading Standards eCrime Team (UK)
“I am a long-term user of Arsenal Image Mounter’s Free Mode functionality, finding it to be the most reliable disk image mounting tool available. Recently I had the opportunity to test AIM’s Professional Mode functionality. I was able to successfully mount several randomly selected disk images (E01 format) and launch them smoothly into virtual machines. Launching disk images into virtual machines is an important feature because a digital forensics analyst may need to better understand operating systems and applications from the perspective of end users… and thanks to AIM’s Windows authentication bypass, I was able to login to accounts without knowing passwords! Also during my testing I was surprised at how easy it was to mount Volume Shadow Copies (VSCs), which could then be compared against the active file systems.”
Shafik G. Punja
DFIR Examiner/Analyst
“I recently had a case where a young man committed suicide and his family wanted to know who he might have been communicating with, particularly within online games. Unfortunately, artifacts that would be relevant in this kind of situation are not easily found using most digital forensics suites. However, I was able to use Arsenal Image Mounter to launch a forensic image of his hard drive into a virtual machine, bypass his Windows password (which the family did not know), and get to his Windows Desktop. Using AIM’s flexible networking options, I was able to connect to the Internet, run his games, and see what he saw – including screen names of the people he talked to. Amazing. I also tried another digital forensics program, with which I had previously been successful in launching VM’s, but it failed to launch a VM from this forensic image… so I will only be using Arsenal Image Mounter in the future.”
Randall Karstetter
Data Forensics Lab, Auburn, WA
“I just wanted to pass along how pleased I am with your products, one of them in particular. For the last few years we kept renewing licenses for another vendor’s tool primarily for the purpose of booting virtual machines from suspect computers. When Windows 10 came out this process became much more complicated, if it even worked at all. Well with Arsenal Image Mounter and a YouTube video from 13Cubed, the process became so easy. We use this process to film the suspect’s computer using a screen video capturing software, as if we were sitting behind their keyboard, and our prosecutors love it. Jurors can now see where the incriminating evidence is in its natural environment instead of having to understand what a file path is. In terms of password bypassing, in a recent case with Windows 10 we tried everything we had to try and break the password/passcode so we could login to the virtual machine. We used both commercial and open source tools with no luck. Arsenal Image Mounter was the only tool that allowed us to bypass the password and it was unbelievable how easy it was.”
David Causey
Detective, St. John's County Sheriff's Office in Florida
“When it comes to mounting disk images (among other things), it is hard to beat Arsenal Image Mounter. It is stable, fast, and it just works. Should you run into an issue, Mark and his team are always willing to hear about it and they feel worse than you will about any issues found. Arsenal is quick to update and pursue new options (often at great expense to themselves in terms of R&D) that just do not exist anywhere else. Beyond the free version however, AIM provides advanced features such as booting forensic images into virtual machines, password bypasses (even online based accounts! Magic!) and more! In an age where vendors want to produce less and less while charging more and more, Arsenal is a breath of fresh air, because they do just the opposite! They keep making the product better!”
Eric Zimmerman
“After many unsuccessful attempts to launch forensic images into virtual machines with a popular digital forensics tool, I decided to give Arsenal Image Mounter a try. I’m very glad I did, because I was able to virtualize forensic images from multiple suspects. AIM also bypassed Microsoft cloud account passwords within the virtual machines, so I was able to take valuable screenshots for the US Attorney. In addition, I have found AIM’s multiple methods of Volume Shadow Copy exporting to be useful.“
ICE/Homeland Security Investigation
“As a former Linux developer, I miss many things under Windows. One of them is the flexible handling of loop devices and disk dumps. Arsenal Image Mounter ports this power to the Microsoft world. You know that “X:” is a virtual thumb drive residing in RAM, but Windows won’t. And that’s only one of the many possibilities with AIM.“
Peter Schneider
Software Development Engineer, Cascade Microtech
“My experience with Arsenal’s digital forensics tools is super positive. I use Arsenal Image Mounter every time I’m working with forensic images. AIM‘s various options for mounting Volume Shadow Copies is really useful and virtualizing forensic images with a few clicks is amazing!”
Mattia Epifani
REALITY NET System Solutions Founder and SANS Instructor
"Hibernation Recon helped me determine that a Windows hibernation file (hiberfil.sys), exported from a BitLocker-protected disk image by a very popular digital forensics tool, was corrupt. While troubleshooting the situation, I used Arsenal Image Mounter (rather than the tool I used previously) to mount the same disk image and then exported the hibernation file… which was now perfectly intact! I ran Hibernation Recon, this time against the intact hibernation file exported by AIM, and was able to continue my analysis."
Martin Siefert
Proactive Discovery
"Due to an insufficient RAM capture from a Windows 10 machine, we had to look at using a popular memory forensics suite to analyse the hibernation file (hiberfil.sys). Due to issues encountered when trying to do this analysis, I contacted one of the memory forensics suite’s developers… who confirmed the suite is only capable of dealing with hibernation files from XP through Windows 7. He subsequently went on to suggest using a tool called Hibernation Recon, which claims to support decompression for later Windows versions. We used Hibernation Recon’s “Free Mode” and were able to obtain a viable memory dump capable of analysing within other tools, including the suite in question."
D/Sgt Martin McDonagh
Metropolitan Police Cybercrime Unit
“Hibernation Recon has become DoD’s must-have tool for extracting digital artifacts from Windows hibernation files. Not only does Hibernation Recon properly reconstruct active memory for all versions of Windows when other tools fail, it is the only tool that extracts various types of “slack space”, which has yielded critical forensic artifacts for DoD’s foreign intelligence mission that could not have been obtained any other way.”
United States Department of Defense
“Hibernation Recon allowed us to determine that remnants of a Skype chat involving child pornography existed in hiberfil.sys slack space (related to a previous hibernation) and to correct the date and time related to those remnants provided by another tool. Within the recovered chat the sender discussed not only possessing illegal material, but having over 70GB more to send, which was important to obtaining a search warrant.”
Torben Strand
Special Consultant, MSc, Danish National Police Cyber Crime Center (NC3)
“Hibernation Recon gives us the ability to quickly and accurately recover data from hibernation files missed by other tools. Output is very descriptive and helps us better understand the recovered data. Hibernation Recon will be finding a permanent place in our workflow.”
Peter Kohler, Esq.
Digital Forensics and eDiscovery at Evidox Corporation
"Registry Recon helps cut through tedious work and recovers valuable information that is not available without burning enormous amounts of time."
Dennis O'Connor
Senior Investigator, U.S. Department of Labor
"The sheer volume of Registry data that Registry Recon finds, and the methods used to visualize it, are astounding. We were able to analyze a newly complete Registry from a previous installation of Windows that was over two years old."
Ryan Maxwell
Director, Forensic West, DTI
“With other tools, each Registry file has to be analyzed separately in a very time-consuming fashion. With Registry Recon, large numbers of Registry files from both allocated and unallocated space are merged into Recon Registries. I am now able to see how the Registry has changed over the life of both currently and previously installed operating systems.”
Stephen Swanson
President, Computer Forensic Services, LLC
“Typically my experiences with new digital forensic tools don’t turn out well. Registry Recon is the exception to this rule. I was quickly able to determine that a system I was analyzing had been compromised a full 6 months earlier than anyone realized, based on information Registry Recon recovered from unallocated space. It’s safe to say that Registry Recon has become part of my analysis toolkit.”
Bill Spernow
Chief Forensic Advisor, Law & Forensics, Inc. and former Forensics and Incident Response Research Director with the Gartner Group, Inc.
“The cost of Registry Recon is justified by the Recon Reports alone. The pre-built USB Storage Devices report, for example, gives you historical information that no other computer forensics tool can.”
Alex Gessen
Computer Forensics Investigator, eMag Solutions
“I am thoroughly impressed with Registry Recon’s capabilities. Working in law enforcement, I can see how valuable it is to know how a suspect’s computer interacted with particular networks, documents, and storage devices over time.”
Sean Maloney
Trooper, Massachusetts State Police
“I will tell you that (Registry Recon) did an amazing job, even after (Windows) re-install and slight use I was able to recover over a year’s worth of USB device connections… I managed to recover almost all the Registry activity I needed from a re-installed system to prove some findings thanks to Registry Recon.”
David Cowen
Hacking Exposed Computer Forensics Blog
"I'm speechless. I mean it. In the last two years I gave up hope several times that pages worth of revisions I made to a Word document while traveling overseas (and occasionally connected to OneDrive) could be recovered. Fortunately I had a backup from my laptop around the time my revisions were lost, but I was never able to determine if those revisions existed anywhere within the backup. ODC Recon solved this for me in a few minutes by recovering 22 versions of my document from a single FSD file within Office Document Cache. This tool can be a blessing for a lot of people. I really appreciate that you made it possible. Thank you once again for your help! You made my day (week probably)!”
Gabor Ruppert
“LevelDBs are everywhere - from Google’s Android and Chrome operating systems to Microsoft’s desktop applications and more. LevelDB Recon is my favorite viewer for looking at LevelDBs - it allows you to observe sequence numbers, keys, values, and metadata, while recovering more records than other tools. One of my favorite features is being able to ingest and view the multiple .ldb and .log files from the same LevelDB at once in a single view."
Jessica Hyde
Founder, Hexordia
“LevelDBs are currently one of the most underrated data sources in the digital forensics world. Arsenal has created an easy-to-use tool that makes relevant LevelDB data accessible to examiners of all skill levels. LevelDB Recon will help you find valuable remnants from web browsing, Firebase Cloud Messaging (FCM), Electron-based apps, and more. Other tools do not extract the volume of data from LevelDBs that LevelDB Recon does, especially when it comes to deleted records.”
Digital Forensics Examiner
United States Government
“LevelDB Recon recovered extremely valuable records for us in a high-profile investigation involving deleted browsing history. We were able to use Arsenal’s new tool to recover LevelDB records not found or parsed clearly by other tools. The browsing history in question was not found elsewhere on the computer or in the Microsoft compliance portal’s unified audit logs. LevelDB Recon not only recovered valuable records related to browsing history, but presented the data in an easily searchable console that led us quickly to actionable intelligence.”
Special Agent
US Federal Law Enforcement