Hey there, fellow digital Delinquent! Welcome to my windows forensics series, and today I’ll be sharing my personal journey and experiences with Arsenal Image Mounter (AIM). Let me tell you, AIM is a game-changer in the field of data recovery and forensic analysis. It’s like having a supercharged toolkit at your disposal, making the process of mounting disk images and exploring their contents a breeze.
Sometimes it’s possible that you are handed over a disk image. To analyze it well our first aim should be to mount the disk image so that we can interact with this one as if we are interacting with our own system. Here comes this tool.
Special things about Arsenal Image Mounter:
- Versatile disk image mounting with support for various formats, eliminating the need for conversion or extraction.
- Ability to handle complex and encrypted containers, enabling access to concealed or protected evidence.
- Dynamic mounting and write-blocking features, allowing investigators to selectively mount and analyze specific partitions or files while maintaining evidence integrity.
- Seamless integration with popular forensic tools, facilitating a streamlined workflow for comprehensive examinations.
- Efficient performance through caching and optimization, reducing analysis time and enhancing overall productivity.
- Virtual Machine (VM) launching for direct interaction and analysis of virtual environments.
- Volume Shadow Copy (VSC) mounting, providing access to historical snapshots for deeper analysis and evidence discovery.
Let’s jump into our demo.
- Firstly you can download the tool from here. https://arsenalrecon.com/downloads
- It comes in two forms, CLI and GUI.
- Start with the GUI tool. We can see below prompt
4. Select the “Mount disk image” option, and you will be prompted to choose file. These are all the possible files that we can load and mount.
5. Now let’s choose a compatible file
I have a .vhd image file, I am using this for the purpose of this demo.
6. We will choose “Disk device,write temporary” and click ok
Choosing the “Disk Device, Write Temporary” option in Arsenal Image Mounter offers benefits in forensic analysis. It preserves the original disk, ensuring evidence integrity without accidental modifications. This option allows safe mounting of disk images or devices, enabling data recovery, analysis, and evidence extraction. With temporary read-write access, investigators can run tools, analyze data, and extract evidence without compromising the original source. The option strikes a balance between accessing and analyzing data while preserving evidence integrity for legal proceedings.
7. Hit yes
8. Now we can see that the disk image is mounted,
9. Now if we go to the Disk Management option,
we can see the disk mounted! Bingo!!!
10. If we go to the F: drive now, we can see the all the files as expected.
That’s all for now, in next video we will use a tool named KAPE to collect/parse artifact to reduce overload and avoid rabbitholes.