“Due to an insufficient RAM capture from a Windows 10 machine, we had to look at using a popular memory forensics suite to analyse the hibernation file (hiberfil.sys). Due to issues encountered when trying to do this analysis, I contacted one of the memory forensics suite’s developers… who confirmed the suite is only capable of dealing with hibernation files from XP through Windows 7. He subsequently went on to suggest using a tool called Hibernation Recon, which claims to support decompression for later Windows versions. We used Hibernation Recon’s “Free Mode” and were able to obtain a viable memory dump capable of analysing within other tools, including the suite in question.”

D/Sgt Martin McDonagh

Metropolitan Police Cybercrime Unit

“I am a long-term user of Arsenal Image Mounter’s Free Mode functionality, finding it to be the most reliable disk image mounting tool available. Recently I had the opportunity to test AIM’s Professional Mode functionality. I was able to successfully mount several randomly selected disk images (E01 format) and launch them smoothly into virtual machines. Launching disk images into virtual machines is an important feature because a digital forensics analyst may need to better understand operating systems and applications from the perspective of end users… and thanks to AIM’s Windows authentication bypass, I was able to login to accounts without knowing passwords! Also during my testing I was surprised at how easy it was to mount Volume Shadow Copies (VSCs), which could then be compared against the active file systems.”

Shafik G. Punja

DFIR Examiner/Analyst

“I’m speechless. I mean it. In the last two years I gave up hope several times that pages worth of revisions I made to a Word document while traveling overseas (and occasionally connected to OneDrive) could be recovered. Fortunately I had a backup from my laptop around the time my revisions were lost, but I was never able to determine if those revisions existed anywhere within the backup. ODC Recon solved this for me in a few minutes by recovering 22 versions of my document from a single FSD file within Office Document Cache. This tool can be a blessing for a lot of people. I really appreciate that you made it possible. Thank you once again for your help! You made my day (week probably)!”

Gabor Ruppert

“We have encountered situations in which popular digital forensics suites could not unlock BitLocker-protected volumes within forensic images acquired by our field offices. Since these suites could not unlock the BitLocker-protected volumes, we would restore each forensic image to a new drive, attach a write blocker, allow Windows to unlock the BitLocker-protected volume, and finally re-acquire a forensic image. This workaround added days to our workflow. Arsenal Image Mounter’s new BitLocker functionality works great in these situations, as it reliably mounts BitLocker-protected volumes and can save out new disk images with those volumes fully decrypted – making our workflow much more efficient.”

Mike Godfrey

United States Army, CID

“I recently had a case where a young man committed suicide and his family wanted to know who he might have been communicating with, particularly within online games. Unfortunately, artifacts that would be relevant in this kind of situation are not easily found using most digital forensics suites. However, I was able to use Arsenal Image Mounter to launch a forensic image of his hard drive into a virtual machine, bypass his Windows password (which the family did not know), and get to his Windows Desktop. Using AIM’s flexible networking options, I was able to connect to the Internet, run his games, and see what he saw – including screen names of the people he talked to. Amazing. I also tried another digital forensics program, with which I had previously been successful in launching VM’s, but it failed to launch a VM from this forensic image… so I will only be using Arsenal Image Mounter in the future.”

Randall Karstetter

Data Forensics Lab, Auburn, WA

“I just wanted to pass along how pleased I am with your products, one of them in particular. For the last few years we kept renewing licenses for another vendor’s tool primarily for the purpose of booting virtual machines from suspect computers. When Windows 10 came out this process became much more complicated, if it even worked at all. Well with Arsenal Image Mounter and a YouTube video from 13Cubed, the process became so easy. We use this process to film the suspect’s computer using a screen video capturing software, as if we were sitting behind their keyboard, and our prosecutors love it. Jurors can now see where the incriminating evidence is in its natural environment instead of having to understand what a file path is. In terms of password bypassing, in a recent case with Windows 10 we tried everything we had to try and break the password/passcode so we could login to the virtual machine. We used both commercial and open source tools with no luck. Arsenal Image Mounter was the only tool that allowed us to bypass the password and it was unbelievable how easy it was.”

David Causey

Detective, St. John's County Sheriff's Office in Florida

When it comes to mounting disk images (among other things), it is hard to beat Arsenal Image Mounter. It is stable, fast, and it just works. Should you run into an issue, Mark and his team are always willing to hear about it and they feel worse than you will about any issues found. Arsenal is quick to update and pursue new options (often at great expense to themselves in terms of R&D) that just do not exist anywhere else. Beyond the free version however, AIM provides advanced features such as booting forensic images into virtual machines, password bypasses (even online based accounts! Magic!) and more! In an age where vendors want to produce less and less while charging more and more, Arsenal is a breath of fresh air, because they do just the opposite! They keep making the product better!

Eric Zimmerman

After many unsuccessful attempts to launch forensic images into virtual machines with a popular digital forensics tool, I decided to give Arsenal Image Mounter a try.  I’m very glad I did, because I was able to virtualize forensic images from multiple suspects. AIM also bypassed Microsoft cloud account passwords within the virtual machines, so I was able to take valuable screenshots for the US Attorney. In addition, I have found AIM’s multiple methods of Volume Shadow Copy exporting to be useful.

ICE/Homeland Security Investigation

Registry Recon helps cut through tedious work and recovers valuable information that is not available without burning enormous amounts of time.”

Dennis O’Connor

Senior Investigator, U.S. Department of Labor

Hibernation Recon allowed us to determine that remnants of a Skype chat involving child pornography existed in hiberfil.sys slack space (related to a previous hibernation) and to correct the date and time related to those remnants provided by another tool. Within the recovered chat the sender discussed not only possessing illegal material, but having over 70GB more to send, which was important to obtaining a search warrant.”

Torben Strand

Special Consultant, MSc, Danish National Police Cyber Crime Center (NC3)

“With other tools, each Registry file has to be analyzed separately in a very time-consuming fashion. With Registry Recon, large numbers of Registry files from both allocated and unallocated space are merged into Recon Registries. I am now able to see how the Registry has changed over the life of both currently and previously installed operating systems.”

Stephen Swanson

President, Computer Forensic Services, LLC

“The sheer volume of Registry data that Registry Recon finds, and the methods used to visualize it, are astounding. We were able to analyze a nearly complete Registry from a previous installation of Windows that was over two years old.”

Ryan Maxwell

Director, Forensic West, DTI

“Typically my experiences with new digital forensic tools don’t turn out well. Registry Recon is the exception to this rule. I was quickly able to determine that a system I was analyzing had been compromised a full 6 months earlier than anyone realized, based on information Registry Recon recovered from unallocated space. It’s safe to say that Registry Recon has become part of my analysis toolkit.”

Bill Spernow

Chief Forensic Advisor, Law & Forensics, Inc. and former Forensics and Incident Response Research Director with the Gartner Group, Inc.

As a former Linux developer, I miss many things under Windows. One of them is the flexible handling of loop devices and disk dumps. Arsenal Image Mounter ports this power to the Microsoft world. You know that “X:” is a virtual thumb drive residing in RAM, but Windows won’t. And that’s only one of the many possibilities with AIM.

Peter Schneider

Software Development Engineer, Cascade Microtech

“The cost of Registry Recon is justified by the Recon Reports alone. The pre-built USB Storage Devices report, for example, gives you historical information that no other computer forensics tool can.”

Alex Gessen

Computer Forensics Investigator, eMag Solutions

“I am thoroughly impressed with Registry Recon’s capabilities. Working in law enforcement, I can see how valuable it is to know how a suspect’s computer interacted with particular networks, documents, and storage devices over time.”

Sean Maloney

Trooper, Massachusetts State Police

Hibernation Recon has become DoD’s must-have tool for extracting digital artifacts from Windows hibernation files. Not only does Hibernation Recon properly reconstruct active memory for all versions of Windows when other tools fail, it is the only tool that extracts various types of “slack space”, which has yielded critical forensic artifacts for DoD’s foreign intelligence mission that could not have been obtained any other way.

United States Department of Defense

“I will tell you that (Registry Recon) did an amazing job, even after (Windows) re-install and slight use I was able to recover over a year’s worth of USB device connections… I managed to recover almost all the Registry activity I needed from a re-installed system to prove some findings thanks to Registry Recon.”

David Cowen

Hacking Exposed Computer Forensics Blog

Hibernation Recon gives us the ability to quickly and accurately recover data from hibernation files missed by other tools. Output is very descriptive and helps us better understand the recovered data. Hibernation Recon will be finding a permanent place in our workflow.”

Peter Kohler, Esq.

Digital Forensics and eDiscovery at Evidox Corporation

Chelsea, Massachusetts



or (617) 277-3625

Site Map



















Privacy Policy


Terms & Conditions


Cookie Policy

Follow Us