“I recently had a CSAM case in which we needed to find a way to decrypt EFS-encrypted files found on an external hard drive. While examining various pieces of electronic evidence, we discovered that the EFS keys were on one of the suspect’s laptops. Using Arsenal Image Mounter, I launched a forensic image obtained from the laptop into a virtual machine, logged in with a Windows password we cracked with Hashcat, attached a forensic image obtained from the external hard drive to the virtual machine, and proceeded to decrypt all the EFS-encrypted files. This entire process with AIM was far easier than the other tool our agency used previously to launch forensic images into virtual machines. I have also had another CSAM case in which AIM’s latest DPAPI bypass functionality allowed us to access a suspect’s Opera-stored website credentials - without knowing the suspect’s Windows password!”
Territorial Police (UK)
"Just got a forensic image (E01 format) and was told it was “stripped” so there would be no way to launch it into a virtual machine. Initially I tried using a manual process involving VMware Professional to launch the forensic image into a VM, but it entered Automatic Repair every time Windows started to boot. After enough frustration I got an Arsenal license and used Arsenal Image Mounter to launch a VM immediately after mounting the forensic image... and Windows not only booted with no problems (despite what I had been told earlier) but I was able to use the Windows authentication and DPAPI bypasses to access some very interesting secrets."
Federal Law Enforcement (Romania)
“We had been using the free version of Arsenal Image Mounter just as an alternative for mounting disk images. We recently discovered the Professional Mode’s “Launch VM” capabilities and it’s been a game changer. Anyone who wants to save a few hours tinkering with settings to virtualize evidence should look into AIM. And yes, obviously the Windows authentication and DPAPI bypasses save time (and provide unique capability) too. I’m typically seeing from two to five minutes to launch a disk image (usually E01) into a virtual machine and end up at the Windows Desktop.”
Federal Law Enforcement (United States)
“Arsenal Image Mounter is well worth the subscription price. We have a limited budget for digital forensics tools and I would not give up AIM easily. While you can sometimes launch VMs from disk images using other tools and enough effort, AIM is less fiddly and offers more functionality. With AIM’s ability to bypass Windows authentication and add additional “drives” I am able to quickly recreate live systems. In one important case a suspect had two drives within their computer, the first containing an encryption application and the second containing an encrypted volume. I used AIM to launch the first disk image into a virtual machine, then added the second disk image. I was able to successfully run the installed encryption application from the VM to decrypt the locked volume on the second drive.”
Detective Forrest Cook
Oro Valley Police Department (Arizona)
"After multiple failures over the years launching disk images into virtual machines using a tool popular in law enforcement, I purchased Arsenal Image Mounter... and have found it much more reliable. I used AIM on a recent case to launch a disk image obtained from a suspect's laptop into a virtual machine, using both the Windows authentication and DPAPI bypass features. With just a few clicks I was logged into the suspect's Windows account and viewing his passwords, without having any of his credentials. Using insight I gained from seeing the suspect's passwords, I was able to unlock a BitLocker volume he had on another computer. AIM then made it easy to save the unlocked BitLocker volume to a fully-decrypted disk image. AIM has become a crucial part of my casework."
Cst. Derek Frawley
Forensic Analyst, Kingston Police
"We have encountered situations in which popular digital forensics suites could not unlock BitLocker-protected volumes within forensic images acquired by our filed offices. Since these suites could not unlock the BitLocker-protected volumes, we would restore each forensic image to a new drive, attach a write blocker, allow Windows to unlock the BitLocker-protected volume, and finally re-acquire a forensic image. This workaround added days to our workflow. Arsenal Image Mounter's new BitLocker functionality works great in these situations, as it reliably mounts BitLocker-protected volumes and can save out new disk images with those volumes fully decrypted - making our workflow much more efficient."
United States Army, CID
“I am currently working on a project that requires me to boot a Windows 10 machine in a virtual environment. Knowing that launching VM’s from forensic images has been a nightmare more often than not, I wasn’t surprised when I was unable to get it to boot using my existing tools. A colleague suggested I try the full version of Arsenal Image Mounter, and in 30 seconds (that’s how long it took for the VM to launch), I was logging in with the user credentials. This has got to be the easiest virtual machine set up I have ever encountered – Wow! No requirement for all kinds of dependencies, no need to convert the forensic image to some other format… it really is easy and quick. It is also easy to copy and paste files between the host machine and VM. I have used AIM’s VM launching functionality almost daily over the past week. I’m definitely sold on this product.”
CET, CCE, CFC, Forensic Analyst/Instructor
“I had a disk image obtained from a Windows server’s 4TB RAID array that failed to launch into a virtual machine using my existing tools and methods. I needed the server running in a virtual machine because it hosted an important CRM application. I also had disk images from Windows workstations which ran the CRM client. While I had used Arsenal Image Mounter’s (AIMs) Free Mode functionality in the past, I was unaware of its Professional Mode capabilities until this case. AIM allowed me to mount the server’s disk image in write-temporary mode (so changes to the operating system and applications could be made without altering the original evidence) and launch the virtual machine – with just a few button presses! I finally had the server running in a virtual machine… but I was at a login screen and did not have a password. Not a problem – AIM’s Windows authentication bypass allowed me to get right into the server. In order to get the CRM application working, I also launched the Windows workstations into virtual machines using AIM’s isolated networking (only between virtual machines) option. At this point, the CRM clients on the workstations connected to the CRM on the server and my team was able to access the data we needed for our case. I have since recommended AIM to the other members of my team, and I foresee I’ll be using the virtual machine launching and Windows authentication bypassing functionality a lot more often.”
Digital Forensic Analyst, National Trading Standards eCrime Team (UK)
“I am a long-term user of Arsenal Image Mounter’s Free Mode functionality, finding it to be the most reliable disk image mounting tool available. Recently I had the opportunity to test AIM’s Professional Mode functionality. I was able to successfully mount several randomly selected disk images (E01 format) and launch them smoothly into virtual machines. Launching disk images into virtual machines is an important feature because a digital forensics analyst may need to better understand operating systems and applications from the perspective of end users… and thanks to AIM’s Windows authentication bypass, I was able to login to accounts without knowing passwords! Also during my testing I was surprised at how easy it was to mount Volume Shadow Copies (VSCs), which could then be compared against the active file systems.”
Shafik G. Punja
“I recently had a case where a young man committed suicide and his family wanted to know who he might have been communicating with, particularly within online games. Unfortunately, artifacts that would be relevant in this kind of situation are not easily found using most digital forensics suites. However, I was able to use Arsenal Image Mounter to launch a forensic image of his hard drive into a virtual machine, bypass his Windows password (which the family did not know), and get to his Windows Desktop. Using AIM’s flexible networking options, I was able to connect to the Internet, run his games, and see what he saw – including screen names of the people he talked to. Amazing. I also tried another digital forensics program, with which I had previously been successful in launching VM’s, but it failed to launch a VM from this forensic image… so I will only be using Arsenal Image Mounter in the future.”
Data Forensics Lab, Auburn, WA
“I just wanted to pass along how pleased I am with your products, one of them in particular. For the last few years we kept renewing licenses for another vendor’s tool primarily for the purpose of booting virtual machines from suspect computers. When Windows 10 came out this process became much more complicated, if it even worked at all. Well with Arsenal Image Mounter and a YouTube video from 13Cubed, the process became so easy. We use this process to film the suspect’s computer using a screen video capturing software, as if we were sitting behind their keyboard, and our prosecutors love it. Jurors can now see where the incriminating evidence is in its natural environment instead of having to understand what a file path is. In terms of password bypassing, in a recent case with Windows 10 we tried everything we had to try and break the password/passcode so we could login to the virtual machine. We used both commercial and open source tools with no luck. Arsenal Image Mounter was the only tool that allowed us to bypass the password and it was unbelievable how easy it was.”
Detective, St. John's County Sheriff's Office in Florida
“When it comes to mounting disk images (among other things), it is hard to beat Arsenal Image Mounter. It is stable, fast, and it just works. Should you run into an issue, Mark and his team are always willing to hear about it and they feel worse than you will about any issues found. Arsenal is quick to update and pursue new options (often at great expense to themselves in terms of R&D) that just do not exist anywhere else. Beyond the free version however, AIM provides advanced features such as booting forensic images into virtual machines, password bypasses (even online based accounts! Magic!) and more! In an age where vendors want to produce less and less while charging more and more, Arsenal is a breath of fresh air, because they do just the opposite! They keep making the product better!”
“After many unsuccessful attempts to launch forensic images into virtual machines with a popular digital forensics tool, I decided to give Arsenal Image Mounter a try. I’m very glad I did, because I was able to virtualize forensic images from multiple suspects. AIM also bypassed Microsoft cloud account passwords within the virtual machines, so I was able to take valuable screenshots for the US Attorney. In addition, I have found AIM’s multiple methods of Volume Shadow Copy exporting to be useful.“
ICE/Homeland Security Investigation
“As a former Linux developer, I miss many things under Windows. One of them is the flexible handling of loop devices and disk dumps. Arsenal Image Mounter ports this power to the Microsoft world. You know that “X:” is a virtual thumb drive residing in RAM, but Windows won’t. And that’s only one of the many possibilities with AIM.“
Software Development Engineer, Cascade Microtech
“My experience with Arsenal’s digital forensics tools is super positive. I use Arsenal Image Mounter every time I’m working with forensic images. AIM‘s various options for mounting Volume Shadow Copies is really useful and virtualizing forensic images with a few clicks is amazing!”
REALITY NET System Solutions Founder and SANS Instructor
"Hibernation Recon helped me determine that a Windows hibernation file (hiberfil.sys), exported from a BitLocker-protected disk image by a very popular digital forensics tool, was corrupt. While troubleshooting the situation, I used Arsenal Image Mounter (rather than the tool I used previously) to mount the same disk image and then exported the hibernation file… which was now perfectly intact! I ran Hibernation Recon, this time against the intact hibernation file exported by AIM, and was able to continue my analysis."
"Due to an insufficient RAM capture from a Windows 10 machine, we had to look at using a popular memory forensics suite to analyse the hibernation file (hiberfil.sys). Due to issues encountered when trying to do this analysis, I contacted one of the memory forensics suite’s developers… who confirmed the suite is only capable of dealing with hibernation files from XP through Windows 7. He subsequently went on to suggest using a tool called Hibernation Recon, which claims to support decompression for later Windows versions. We used Hibernation Recon’s “Free Mode” and were able to obtain a viable memory dump capable of analysing within other tools, including the suite in question."
D/Sgt Martin McDonagh
Metropolitan Police Cybercrime Unit
“Hibernation Recon has become DoD’s must-have tool for extracting digital artifacts from Windows hibernation files. Not only does Hibernation Recon properly reconstruct active memory for all versions of Windows when other tools fail, it is the only tool that extracts various types of “slack space”, which has yielded critical forensic artifacts for DoD’s foreign intelligence mission that could not have been obtained any other way.”
United States Department of Defense
“Hibernation Recon allowed us to determine that remnants of a Skype chat involving child pornography existed in hiberfil.sys slack space (related to a previous hibernation) and to correct the date and time related to those remnants provided by another tool. Within the recovered chat the sender discussed not only possessing illegal material, but having over 70GB more to send, which was important to obtaining a search warrant.”
Special Consultant, MSc, Danish National Police Cyber Crime Center (NC3)
“Hibernation Recon gives us the ability to quickly and accurately recover data from hibernation files missed by other tools. Output is very descriptive and helps us better understand the recovered data. Hibernation Recon will be finding a permanent place in our workflow.”
Peter Kohler, Esq.
Digital Forensics and eDiscovery at Evidox Corporation
"Registry Recon helps cut through tedious work and recovers valuable information that is not available without burning enormous amounts of time."
Senior Investigator, U.S. Department of Labor
"The sheer volume of Registry data that Registry Recon finds, and the methods used to visualize it, are astounding. We were able to analyze a newly complete Registry from a previous installation of Windows that was over two years old."
Director, Forensic West, DTI
“With other tools, each Registry file has to be analyzed separately in a very time-consuming fashion. With Registry Recon, large numbers of Registry files from both allocated and unallocated space are merged into Recon Registries. I am now able to see how the Registry has changed over the life of both currently and previously installed operating systems.”
President, Computer Forensic Services, LLC
“Typically my experiences with new digital forensic tools don’t turn out well. Registry Recon is the exception to this rule. I was quickly able to determine that a system I was analyzing had been compromised a full 6 months earlier than anyone realized, based on information Registry Recon recovered from unallocated space. It’s safe to say that Registry Recon has become part of my analysis toolkit.”
Chief Forensic Advisor, Law & Forensics, Inc. and former Forensics and Incident Response Research Director with the Gartner Group, Inc.
“The cost of Registry Recon is justified by the Recon Reports alone. The pre-built USB Storage Devices report, for example, gives you historical information that no other computer forensics tool can.”
Computer Forensics Investigator, eMag Solutions
“I am thoroughly impressed with Registry Recon’s capabilities. Working in law enforcement, I can see how valuable it is to know how a suspect’s computer interacted with particular networks, documents, and storage devices over time.”
Trooper, Massachusetts State Police
“I will tell you that (Registry Recon) did an amazing job, even after (Windows) re-install and slight use I was able to recover over a year’s worth of USB device connections… I managed to recover almost all the Registry activity I needed from a re-installed system to prove some findings thanks to Registry Recon.”
Hacking Exposed Computer Forensics Blog
"I'm speechless. I mean it. In the last two years I gave up hope several times that pages worth of revisions I made to a Word document while traveling overseas (and occasionally connected to OneDrive) could be recovered. Fortunately I had a backup from my laptop around the time my revisions were lost, but I was never able to determine if those revisions existed anywhere within the backup. ODC Recon solved this for me in a few minutes by recovering 22 versions of my document from a single FSD file within Office Document Cache. This tool can be a blessing for a lot of people. I really appreciate that you made it possible. Thank you once again for your help! You made my day (week probably)!”