15 replies to this topic

[misty]

Date - 16th June 2019

Some questions and observations about Arsenal Image Mounter (AIM). Information about this very useful suite of applications appears a bit scattered, so I thought it might be useful to start this topic.

The following information has been copied from the Arsenal Image Mounter GitHub page (here) -

Arsenal Image Mounter mounts the contents of disk images as complete disks in Microsoft Windows. Arsenal Image Mounter includes a virtual SCSI adapter (via a unique Storport miniport driver) which allows users to benefit from disk-specific features in Windows like integration with Disk Manager, access to Volume Shadow Copies, and more. As far as Windows is concerned, the contents of disk images mounted by Arsenal Image Mounter are “real” SCSI disks....

.
The GitHub repository contains a lot of files and even with the included documentation it's a bit confusing knowing which files to use. This post is based on my understanding of the current files that you may want to use to test/use Arsenal Image Mounter.

Licensing is not covered in any detail in this topic and is a bit complicated due to a dual licence arrangement. Arsenal Image Mounter appears to be free for non-commercial use, with additional features available in a commercial version. Please refer to the GitHub page and the Arsenal Recon website (here) for more information.

The majority of the AIM tools have a .NET 4.0 dependency. The main reason for the .NET dependency appears to be due to the close integration of the DiscUtils library used to handle common disk image formats -

DiscUtils is a .NET library to read and write ISO files and Virtual Machine disk files (VHD, VDI, XVA, VMDK, etc). DiscUtils is developed in C# with no native code (or P/Invoke)....

.
The following Arsenal Image mounter executables have a Graphic User Interface and I suspect that most people will use one of these files. Please note that they both have a .NET dependency -

• ArsenalImageMounter.exe
• ArsenalImageMounterMountTool.exe

The GUI tools listed above are very easy to use with a simple and intuitive User Interface, and will automatically handle driver installation.
____________________

Arsenal Image Mounter files include -

• ArsenalImageMounter.exe - see post number #2
• ArsenalImageMounterMountTool.exe - see post number #3
• ArsenalImageMounterCLISetup.exe - see post number #4
• ArsenalImageMounterGUISetup.exe - see post number #5
• aim_cli.exe - see post number #6
• aim_ll.exe - see post number #7

.


Misty

[misty]

ArsenalImageMounter.exe

.NET 4.* Dependency.

Driver files and DiscUtils are integrated in the ArsenalImageMounter.exe executable. Driver installation is handled by running the application - if the driver is not already installed then you will be prompted to install it -

This application requires a virtual SCSI miniport driver to create virtual 
disks. The necessart driver is either not currently installed or the 
currently installed driver is incompatible with the current version of this
application. Do you want to install the driver now?

.
A range of common disk image formats including .vdi, .vhd and .vmdk are supported via DiscUtils embedded in the ArsenalImageMounter.exe executable. Some Forensic formats including Expert Witness Format (.e01) files are supported via libewf.dll, however this requires additional file/dependency downloads.

Recent versions of ArsenalImageMounter.exe are no longer available from the GitHub page, having been moved to the Arsenal Recon site following the commit dated 15th September 2017.

ArsenalImageMounter.exe Version 2.0.010 (originally uploaded to GitHub on September 10th 2015) is still available from GitHub via the Commit dated April 5th 2016 (and some earlier commits) -

• Direct Download Link - https://github.com/A...mageMounter.exe
• 379a229c7c21b7aaa12b62a06dace0b0b3b4693f > Graphical Applications > ArsenalImageMounter.exe

.
Version 2.0.010 screenshot -

.
The most recent version of ArsenalImageMounter.exe (version 2.6.40 at the time of writing) is available from the Arsenal Recon website - please note that you will need to register for the Mailing List in order to be able to access downloads. Version 2.6.40 will run in Free Mode unless a License key is applied. The Professional version has a number of additional features including mounting .wim files. It's not clear from the Arsenal Recon site which features are locked in Free Mode and which are only available with the Professional license.

Version 2.6.40 screenshot -


Manually installing the latest version of the driver and then running version 2.0.010 may enable access to all features currently supported in Free Mode in the latest version - drivers can be manually installed using methods/tools documented below.

Please note that when the ArsenalImageMounter.exe executable is closed, any mounted images will be automatically unmounted - the UI needs to remain open to access any mounted images.

There do not appear to be any significant differences in features available in ArsenalImageMounterMountTool.exe (see below) or ArsenalImageMounter.exe running in Free Mode.



Misty

[misty]

ArsenalImageMounterMountTool.exe

.NET 4.* Dependency.

Driver files and DiscUtils are integrated in the ArsenalImageMounter.exe executable. Driver installation is handled by running the application - if the driver is not already installed then you will be prompted to install it -

This application requires a virtual SCSI miniport driver to create virtual 
disks. The necessart driver is either not currently installed or the 
currently installed driver is incompatible with the current version of this
application. Do you want to install the driver now?

.
A range of common disk image formats including .vdi, .vhd and .vmdk are supported via DiscUtils embedded in the ArsenalImageMounterMountTool.exe executable. Some Forensic formats including Expert Witness Format (.e01) files are supported via libewf.dll, however this requires additional file/dependency downloads.

Please note that when the ArsenalImageMounter.exe executable is closed, any mounted images will be automatically unmounted - the UI needs to remain open to access any mounted images.

• GitHub - master > MountTool > ArsenalImageMounterMountTool.exe
• Direct Download Link - ArsenalImageMounterMountTool.exe

.
There do not appear to be any significant differences in features available in ArsenalImageMounterMountTool.exe or ArsenalImageMounter.exe running in Free Mode.





Misty

[misty]

ArsenalImageMounterCLISetup.exe

.NET 4.* Dependency.

Use this command-line tool to install/uninstall the Arsenal Image Mounter driver - and also to check Driver status (e.g. installed/uninstalled). Driver files are included in the binary.

This tool may be useful to install a more recent version of the Arsenal Image Mounter Driver for use with an older version of ArsenalImageMounter.exe (see above).

• GitHub - master > DriverSetup > ArsenalImageMounterCLISetup.exe
• Direct Download Link - ArsenalImageMounterCLISetup.exe

.
Command-line options (hopefully self explanatory) -

ArsenalImageMounterCLISetup.exe /install
ArsenalImageMounterCLISetup.exe /uninstall
ArsenalImageMounterCLISetup.exe /status

.


Misty

[misty]

ArsenalImageMounterGUISetup.exe

.NET 4.* Dependency.

Use this GUI tool to install or uninstall the Arsenal Image Mounter driver. Driver files are included in the binary.

This tool may be useful to install a more recent version of the Arsenal Image Mounter Driver for use with an older version of ArsenalImageMounter.exe (see above).

• GitHub - master > DriverSetup > ArsenalImageMounterGUISetup.exe
• Direct Download Link - ArsenalImageMounterGUISetup.exe

.


Misty

[misty]

aim_cli.exe

.NET 4.* Dependency.

aim_cli.exe is a command-line tool that shares many of the same features as the GUI ArsenalImageMounter.exe and ArsenalImageMounterMountTool.exe executables. aim_cli.exe has DiscUtils embedded, but does not include any embedded driver files and the driver will need to be installed using other methods (including aim_ll.exe, ArsenalImageMounterGUISetup.exe or ArsenalImageMounterCLISetup.exe). As DiscUtils is embedded a range of common disk image formats including .vdi, .vhd and .vmdk are supported.

Please note that when the aim_cli.exe console window is closed, any mounted images will be automatically unmounted - the console window needs to remain open to access any mounted images.

Output after running a command to mount a Dynamic type VDI file (note that Ctrl + C keys are required to unmount the disk) -
.

Opening image file And mounting as virtual disk...
Virtual disk is \\?\PhysicalDrive2 with SCSI address Port = 2, Path = 0, Target
= 0, Lun = 0
Virtual disk created. Press Ctrl+C to remove virtual disk and exit.

.


Misty

[misty]

aim_ll.exe

NO .NET dependancy.

aim_ll.exe (Arsenal Image Mounter Low Level) is a command line tool. It does not have any .NET dependencies and can be used to mount RAW images - including fixed type VHD files. It can be used with devio and other libraries (e.g. joachim metz' libyal) to mount image types not natively supported by aim_ll.exe.

Command line tools that provide access to most features of virtual SCSI
miniport driver that is used with Arsenal Image Mounter. Command line syntax
is very similar to that of ImDisk Virtual Disk Driver, so most commands and
scripting work in a similar way. There are also command line switches for
installing or uninstalling the virtual SCSI miniport driver.

• GitHub - master > Command line applications > aim_ll.zip
• Direct Download Link - aim_ll.zip

.
Please note that this tool has limited functionality compared to the .NET ArsenalImageMounter.exe, ArsenalImageMounterMountTool.exe and aim_cli.exe executables, which all have DiscUtils embedded. It is possible to mount RAW disk images, including NTFS sparse files and Fixed type VHD files, and can also be used to install/uninstall the Arsenal Image Mounter driver using aim_ll.exe.



Misty

[misty]

Reserved for future use

[misty]

ImgMount - a GUI Tool by erwan.l is available here.

ImgMount is a graphical front end to the Arsenal Driver : An open source virtual SCSI miniport driver....

....ImgMount can create a physical disk from a file or from memory or from a sharedmemory proxy.

[misty]

aim_cli.exe

Running aim_cli.exe will display the following help/info -

Spoiler

aim_cli.

Integrated command line interface to Arsenal Image Mounter virtual SCSI
miniport driver.

For version information, license, copyrights and credits, type aim_cli /version

Syntax, automatically select object name and mount:
aim_cli /mount[:removable|:cdrom] [/buffersize=bytes] [/readonly]
/filename=imagefilename [/provider=DiscUtils|LibEwf|MultiPartRaw]

Syntax, start shared memory service mode, for mounting from other applications:
aim_cli /name=objectname [/buffersize=bytes] [/readonly]
/filename=imagefilename [/provider=DiscUtils|LibEwf|MultiPartRaw]

Syntax, start TCP/IP service mode, for mounting from other computers:
aim_cli [/ipaddress=address] /port=tcpport [/readonly]
/filename=imagefilename [/provider=DiscUtils|LibEwf|MultiPartRaw]

DiscUtils and MultiPartRaw support libraries are included embedded in this
application. Libewf support needs libewf.dll, zlib.dll and msvcr100.dll as
external dll files.

File version 2.8.046.0

____________________

Pleaes note that unlike the GUI tools ArsenalImageMounter.exe and ArsenalImageMounterMountTool.exe, mounted disks will need to be removed properly - closing the console window will not automatically unmount the virtual disk.

You may need to stop/start the service to remove a disk - or alternatively use aim_ll.exe (see above). The following aim_ll.exe command will remove all attached virtual disks -

aim_ll.exe -d

.
____________________

Mount existing disk image D:\dynamic_vhd.vhd -

aim_cli.exe /mount /filename=D:\dynamic_vhd.vhd

.
Output -

Opening image file And mounting as virtual disk...
Virtual disk is \\?\PhysicalDrive4 with SCSI address Port = 2, Path = 0, Target
= 2, Lun = 0
Virtual disk created. Press Ctrl+C to remove virtual disk and exit.

.
Output after pressing Ctrl+C to remove the disk -

Stopping service...
Service stopped.
Terminate batch job (Y/N)?

.
____________________

Mount existing disk image D:\dynamic_vhd.vhd as readonly -

aim_cli.exe /mount /filename=D:\dynamic_vhd.vhd /readonly

.

[misty]

aim_ll.exe - Install/Uninstall Driver

Download the driver file -

• Github > Master > DriverSetup > DriverFiles.zip
• Direct Download Link - DriverFiles.zip

.
Alternatively, download DriverSetup.7z - this package contains the Driver files and aim_ll.exe

Extract driver files - e.g. to C:\AIMDrivers\

You should now have the following directory structure -

C:\AIMDrivers\CtlUnit
C:\AIMDrivers\Win10
C:\AIMDrivers\Win2K
C:\AIMDrivers\Win7
C:\AIMDrivers\Win8
C:\AIMDrivers\Win8.1
C:\AIMDrivers\WinLH
C:\AIMDrivers\WinNET
C:\AIMDrivers\WinXP

.
Run the following command to install the Arsenal Image Mounter driver from C:\AIMDrivers -

aim_ll.exe --install C:\AIMDrivers

.
Output from running the command on Windows 8.1 -

Detected Windows kernel version 6.3.9600.
Platform code: 'Win8.1'. Using port driver storport.sys.

Reading inf file...
Creating device object...
Installing driver for device...
Finished successfully.

____________________

Run the following command to uninstall the Arsenal Image Mounter driver -

aim_ll.exe --uninstall

.
Output from running the command on Windows 8.1 -

Removing devices...
1 device(s) removed.
Removing driver...
Finished successfully.

.

[misty]

aim_ll.exe - Examples

Running aim_ll.exe will display the following help/info -

Spoiler

Low-level command line interface to Arsenal Image Mounter virtual
SCSI miniport driver.

For version information, license, copyrights and credits, type aim_ll --version

Setup syntax:
aim_ll --install setup_directory
Installs Arsenal Image Mounter driver from a directory with setup
files.

aim_ll --uninstall
Uninstalls Arsenal Image Mounter driver.

aim_ll --rescan
Rescans SCSI bus on installed adapter.

Manage virtual disks:
aim_ll -a -t type [-n] [-o opt1[,opt2 ...]] [-f|-F file] [-s size] [-b offset]
[-S sectorsize] [-u devicenumber] [-m mountpoint]
[-p "format-parameters"] [-P]
aim_ll -d|-D [-u devicenumber | -m mountpoint] [-P]
aim_ll -R -u unit
aim_ll -l [-u devicenumber | -m mountpoint]
aim_ll -e [-s size] [-o opt1[,opt2 ...]] [-u devicenumber | -m mountpoint]

-a Attach a virtual disk. This will configure and attach a virtual disk
with the parameters specified and attach it to the system.

-d Detach a virtual disk from the system and release all resources.
Use -D to force removal even if the device is in use.

-R Emergency removal of hung virtual disks. Should only be used as a last
resort when a virtual disk has some kind of problem that makes it
impossible to detach it in a safe way. This could happen for example
for proxy-type virtual disks sometimes when proxy communication fails.
Note that this does not attempt to dismount filesystem or lock the
volume in any way so there is a potential risk of data loss. Use with
caution!

-e Edit an existing virtual disk.

Along with the -s parameter extends the size of an existing virtual
disk.

Along with the -o parameter changes media characteristics for an
existing virtual disk. Options that can be changed on existing virtual
disks are those specifying wether or not the media of the virtual disk
should be writable and/or removable.

-t type
Select the backingstore for the virtual disk.

vm Storage for this type of virtual disk is allocated from virtual memory
in the system process. If a file is specified with -f that file is
is loaded into the memory allocated for the disk image.

file A file specified with -f file becomes the backingstore for this
virtual disk.

proxy The actual backingstore for this type of virtual disk is controlled by
a storage server accessed by the driver on this machine by
sending storage I/O requests through a named pipe specified with -f.

-f file or -F file
Filename to use as backingstore for the file type virtual disk, to
initialize a vm type virtual disk or name of a named pipe for I/O
client/server communication for proxy type virtual disks. For proxy
type virtual disks "file" may be a COM port or a remote server
address if the -o options includes "ip" or "comm".

Instead of using -f to specify 'DOS-style' paths, such as
C:\dir\image.bin or \\server\share\image.bin, you can use -F to
specify 'NT-style' native paths, such as
\Device\Harddisk0\Partition1\image.bin. This makes it possible to
specify files on disks or communication devices that currently have no
drive letters assigned.

-l List configured devices. If given with -u or -m, display details about
that particular device.

-n When printing listing devices, print only the unit number without other
information.

-s size
Size of the virtual disk. Size is number of bytes unless suffixed with
a b, k, m, g, t, K, M, G or T which denotes number of 512-byte blocks,
thousand bytes, million bytes, billion bytes, trillion bytes,
kilobytes, megabytes, gigabytes and terabytes respectively. The suffix
can also be % to indicate percentage of free physical memory which
could be useful when creating vm type virtual disks. It is optional to
specify a size unless the file to use for a file type virtual disk does
not already exist or when a vm type virtual disk is created without
specifying an initialization image file using the -f or -F. If size is
specified when creating a file type virtual disk, the size of the file
used as backingstore for the virtual disk is adjusted to the new size
specified with this size option.

The size can be a negative value to indicate the size of free physical
memory minus this size. If you e.g. type -400M the size of the virtual
disk will be the amount of free physical memory minus 400 MB.

-b offset
Specifies an offset in an image file where the virtual disk begins. All
offsets of I/O operations on the virtual disk will be relative to this
offset. This parameter is particularily useful when mounting a specific
partition in an image file that contains an image of a complete hard
disk, not just one partition. This parameter has no effect when
creating a blank vm type virtual disk. When creating a vm type virtual
disk with a pre-load image file specified with -f or -F parameters, the
-b parameter specifies an offset in the image file where the image to
be loaded into the vm type virtual disk begins.

Specify auto as offset to automatically select offset for a few known
non-raw disk image file formats. Currently auto-selection is supported
for Nero .nrg and Microsoft .sdi image files.

-S sectorsize
Sectorsize to use for the virtual disk device. Default value is 512
bytes except for CD-ROM/DVD-ROM style devices where 2048 bytes is used
by default.

-p "format-parameters"
If -p is specified the 'format' command is invoked to create a
filesystem when the new virtual disk has been created.
"format-parameters" must be a parameter string enclosed within
double-quotes. The string is added to the command line that starts
'format'. You usually specify something like "/fs:ntfs /q /y", that
is, create an NTFS filesystem with quick formatting and without user
interaction.

-o option
Set or reset options.

ro Creates a read-only virtual disk. For vm type virtual disks, this
option can only be used if the -f option is also specified.

rw Specifies that the virtual disk should be read/writable. This is the
default setting. It can be used with the -e parameter to set an
existing read-only virtual disk writable.

fksig If this flag is set, the driver will report a random fake disk
signature to Windows instead of any existing one, in case the master
boot record has otherwise apparently valid data.

sparse Sets NTFS sparse attribute on image file. This has no effect on proxy
or vm type virtual disks.

rem Specifies that the device should be created with removable media
characteristics. This changes the device properties returned by the
driver to the system. For example, this changes how some filesystems
cache write operations.

fix Specifies that the media characteristics of the virtual disk should be
fixed media, as opposed to removable media specified with the rem
option. Fixed media is the default setting. The fix option can be used
with the -e parameter to set an existing removable virtual disk as
fixed.

saved Clears the 'image modified' flag from an existing virtual disk. This
flag is set by the driver when an image is modified and is displayed
in the -l output for a virtual disk. The 'saved' option is only valid
with the -e parameter.

Note that virtual floppy or CD/DVD-ROM drives are always read-only and
removable devices and that cannot be changed.

cd Creates a virtual CD-ROM/DVD-ROM.

fd Creates a virtual floppy disk.

NOTE: cd and fd options are currently not supported by the driver.

hd Creates a virtual hard disk. This is the default.

raw Creates a device object with "controller" device type. The system will
not attempt to use such devices as a storage device, but it could be
useful in combination with third-party drivers that can provide further
device objects using this virtual disk device as a backing store.

ip Can only be used with proxy-type virtual disks. With this option, the
user-mode service component is initialized to connect to a
storage server using TCP/IP. With this option, the -f switch specifies
the remote host optionally followed by a colon and a port number to
connect to.

comm Can only be used with proxy-type virtual disks. With this option, the
user-mode service component is initialized to connect to a
storage server through a COM port. With this option, the -f switch
specifies the COM port to connect to, optionally followed by a colon,
a space, and then a device settings string with the same syntax as the
MODE command.

shm Can only be used with proxy-type virtual disks. With this option, the
driver communicates with a storage server on the same computer using
shared memory block to transfer I/O data.

awe Can only be used with file-type virtual disks. With this option, the
driver copies contents of image file to physical memory. No changes are
written to image file. If this option is used in combination with no
image file name, a physical memory block will be used without loading
an image file onto it. In that case, -s parameter is needed to specify
size of memory block. This option requires awealloc driver, which
is installed with ImDisk Virtual Disk Driver.

bswap Instructs driver to swap each pair of bytes read from or written to
image file. Useful when examining images from some embedded systems
and similar where data is stored in reverse byte order.

NOTE: This option is currently not supported by the driver.

par Parallel I/O. Valid for file-type virtual disks. With this flag set,
driver sends read and write requests for the virtual disk directly down
to the driver that handles the image file, within the SCSIOP dispatch
routine. This flag is intended for developers who provide their own
driver that handles image file requests. Such driver need to handle
requests at DISPATCH_LEVEL at any time, otherwise system crashes are
very likely to happen. *Never* use this flag when mounting image files!
Use it *only* with special purpose drivers that can meet all neeed
requirements!

-u devicenumber
Six hexadecimal digits indicating SCSI path, target and lun numbers
for a device. Format: LLTTPP. Along with -a, request a specific device
number for the new device instead of automatic allocation. Along with
-d or -l specifies the unit number of the virtual disk to remove or
query.

-m mountpoint
Specifies a drive letter or mount point for the new virtual disk, the
virtual disk to query or the virtual disk to remove. When creating a
new virtual disk you can specify #: as mountpoint in which case the
first unused drive letter is automatically used.

Note that even if you don't specify -m, Windows normally assigns drive
letters to new volumes anyway. This behaviour can be changed using the
MOUNTVOL command line tool.

-P Persistent. Along with -a, saves registry settings for re-creating the
same virtual disk automatically when driver is loaded, which usually
occurs during system startup. Along with -d or -D, existing such
settings for the removed virtual disk are also removed from registry.
There are some limitations to what settings could be saved in this way.
Only features directly implemented in the kernel level driver are
saved, so for example the -p switch to format a virtual disk will not
be saved.

NOTE: Registry settings for auto-loading devices are currently not
supported by the driver, so this switch has currently no effect.

From aim_ll.exe File version 1.0.11.28

____________________

Mount disk image D:\fixed_vhd.vhd -

aim_ll.exe -a -f D:\fixed_vhd.vhd

.
Output from running the above command -

Creating device...
Created device 000000 -> D:\fixed_vhd.vhd
Disk device is \\?\PhysicalDrive2
No volumes attached. Disk could be offline or not partitioned.
Done.

.
Device mounted as Disk 2 (\\.\PhysicalDisk2)
____________________

Mount disk image D:\NTFS_sparse.img as read only (-o ro parameter) -

aim_ll.exe -a -o ro -f D:\NTFS_sparse.img

.
Output from running the above command -

Creating device...
Created device 000100 -> D:\NTFS_sparse.img
Disk device is \\?\PhysicalDrive3
No volumes attached. Disk could be offline or not partitioned.
Done.

.
Device mounted as Disk 3 (\\.\PhysicalDisk3)
____________________

Diskpart output after mounting D:\fixed_vhd.vhd and D:\NTFS_sparse.img
 

Microsoft DiskPart version 6.3.9600

Copyright (C) 1999-2013 Microsoft Corporation.
On computer: W530

DISKPART> list disk

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          223 GB      0 B
  Disk 1    Online           57 GB      0 B
  Disk 2    Online         1024 MB  1024 MB
  Disk 3    Online         2048 MB  2048 MB

.
Disk 0 = internal HDD
Disk 1 = USB Drive
Disk 2 = Fixed type VHD (D:\fixed_vhd.vhd) file mounted using aim_ll.exe
Disk 3 = NTFS Sparse disk image (D:\NTFS_sparse.img) mounted using aim_ll.exe

____________________

List (AIM) mounted disk images (command is lower case L (for list)) -

aim_ll.exe -l

.
Output from the above command with D:\fixed_vhd.vhd and D:\NTFS_sparse.img mounted -

Device number 000100
SCSI port number 2 device number 000100
Image file: \??\d:\ntfs_sparse.img
Size: 2147483648 bytes (2 GB), ReadOnly, Queued I/O Image File, HDD.
Disk device is \\?\PhysicalDrive3

Device number 000000
SCSI port number 2 device number 000000
Image file: \??\d:\fixed_vhd.vhd
Size: 1073742336 bytes (1 GB), Queued I/O Image File, HDD.
Disk device is \\?\PhysicalDrive2

2 devices found.

.
____________________

Dismount virtual disk using AIM device number (device numbers are in hexadecimal format as displayed by running aim_ll.exe -l) - device 000000 is d:\fixed_vhd.vhd

aim_ll.exe -d -u 000000

.

Removing device 000000...
Sending remove request...

.
____________________

Dismount all virtual disks

aim_ll.exe -d

.
Output -

Removing all devices...
Sending remove request...
Done.

.
____________________

Dismount all virtual disks - force removal even if the device is in use.

aim_ll.exe -D

.

[misty]

aim_ll.exe + devio + libyal - overview and download links

aim_ll.exe can be used to mount raw disk images - native support for other disk image formats including common types such as .vmdk, .vdi and expandable type .vhd files is not implemented. DiscUtils is integrated with other Arsenal Image Mounter executables including aim_cli.exe, ArsenalImageMounter.exe and ArsenalImageMounterMountTool.exe - whilst these programs support a wider range of image types, they require .NET 4.*.

In some usage cases .NET may not be available. It is possible to use a combination of aim_ll.exe + devio.exe + a custom proxy dll and libyal to access some of the more commonly used disk image formats.

libyal (Yet Another Library Library)

.... is a collection of libraries that are used to access various data formats, such as the OLE Compound File or NT File System. The original use case for the libraries is for analyzing data formats or their content for analysis in the context of digital forensics and incident response (DFIR)....

.
devio

Device I/O Service...
With support for Microsoft VHD format, custom DLL files and shared memory proxy operation....

.
Accessing disk images using libyal involves two distinct stages (these are covered in more detail in the next post) -

• Stage 1- run devio.exe to create a shared memory device
• Stage 2- run aim_ll.exe to access the shared memory device created in stage 1

.
Please note that a shared memory device is a means of passing data between different programs - in this case devio and aim_ll.exe. The first program (devio) creates the device and the second program (aim_ll.exe) accesses it using the unique name given to the device when it was created.

A number of proxy .dll files/packages for use with aim_ll.exe (and ImDisk), which include some libyal libraries, are available.
____________________

Packages compiled by Olof Lagerkvist (see Use libyal libraries with devio and ImDisk topic) -

• libyal_tools_devio_x86.7z (32-bit)
• libyal_tools_devio_x64.7z (64-bit)

.
Please note the following information from Olof - "...I am about to recompile libewf, libvhdi, libvmdk, libsmraw and libodraw so that they use only system dlls and no particular VC++ runtime dlls. It looks right now like the x86 versions will require minimum Windows 2000 and the x64 minimum Windows Server 2003 or XP. I will also make some small corresponding libewf_devio.dll, libvmdk_devio.dll etc files for use with devio..." (from here)
____________________

Packages compiled by Erwan Labalec -

• VirtualBox image (VDI) proxy for ImDisk (most recent package is in post #3)
• VMDK Proxy for ImDisk (most recent package is in post #60)
• EWF Proxy for ImDisk (most recent package is in post #4)
• VHD Proxy for ImDisk (most recent package is in post #6)
• QCOW Proxy for ImDisk (most recent package is in post #2)
• NFS Imdisk Proxy (most recent package is in the first post)

.
Please note that some of these packages may require VC++ runtime dlls. The latest release of VMDK Proxy for ImDisk refers to a dependency "...on msvcrt.dll and no longer on msvcrtxxx.dll..." - with previous versions clearly having other msvcrtxxx.dll dependencies. I'm not sure which of the above Pacages may have other dependencies.

Please also note that Erwan's packages are 32-bit. Some, but not all, include devio.exe.

[misty]

aim_ll.exe + devio + libyal - Stage 1

Stage 1 - devio.exe + proxy .dll + libyal .dll + create shared memory device (with unique name)

Syntax -

devio.dll --dll=proxy_dll_file_name;dllopen shm:unique_name_for_shm file_with_path 0

.
In the packages compiled by Olof Lagerkvist, the proxy_dll_file_name can be one of the following -

• libewf_devio.dll
• libodraw_devio.dll
• libqcow_devio.dll
• libsmraw_devio.dll
• libvhdi_devio.dll
• libvmdk_devio.dll

.
Erwan's packages all use proxy.dll

Example using Olof's libvhdi_devio.dll. Create shared memory device with unique_name_for_shm = vhd1 - proxy_dll_file_name = libvhdi_devio.dll - file_with_path = C:\VHD_Dynamic.vhd

devio.dll --dll=libvhdi_devio.dll;dllopen shm:vhd1 C:\VHD_Dynamic.vhd 0

.
Or (using full paths to files)

C:\devio_x64\devio.dll --dll=C:\devio_x64\libvhdi_devio.dll;dllopen shm:vhd1 C:\VHD_Dynamic.vhd 0

.
Please note that you may need to add a readonly flag (-r parameter) to the commandline in order to successfully create the device.

Running devio.dll --dll=libvhdi_devio.dll;dllopen shm:vhd1 C:\VHD_Dynamic.vhd 0 returned the following error -

No write support yet for vhd files.
Library call failed to open 'C:\VHD_Dynamic.vhd': m

.
Running with -r parameter devio.dll --dll=libvhdi_devio.dll;dllopen -r shm:vhd1 C:\VHD_Dynamic.vhd 0

Opening image file...
'C:\VHD_Dynamic.vhd'
Retrieving image virtual size
Image virtual size is: 1073741824 bytes
Successfully opened 'C:\VHD_Dynamic.vhd'.
Image size used: 1073741824 bytes.
Total size: 1073741824 bytes. Using 1073741824 bytes from offset 0.
Required alignment: 1 bytes.
Buffer size: 2097152 bytes.
Shared memory operation.
Waiting for connection on object misty. Press Ctrl+C to cancel.

.
____________________

And another example using Erwan's proxy.dll

devio.dll --dll=proxy.dll;dllopen shm:vhd1 C:\VHD_Dynamic.vhd 0

.
Or (with full paths to files)

C:\Proxy_VHDI\devio.dll --dll=C:\Proxy_VHDI\proxy.dll;dllopen shm:vhd1 C:\VHD_Dynamic.vhd 0

.

[misty]

aim_ll.exe + devio + libyal - Stage 2

Stage 2 - run aim_ll.exe + access the shared memory device (with unique name) created in stage 1.

Command syntax -

aim_ll.exe -a -t proxy -o shm -f unique_name_for_shm

.
Example to connect to the shared memory device created in the Stage 1 examples (with unique_name_for_shm - vhd1)

aim_ll.exe -a -t proxy -o shm -f vhd1

.
Another example, with virtual device created as Readonly (-o ro parameter added)

aim_ll.exe -a -t proxy -o shm -o ro -f vhd1

.
Output from running the aim_ll.exe -a -t proxy -o shm -f vhd1 command -

Creating device...
Created device 000000 -> vhd1
Disk device is \\?\PhysicalDrive2
Attached disk volume \\?\Volume{1b6fb1a6-9024-11e9-827b-005056c00008}
Done.

.
Breakdown of the aim_ll.exe parameters/commands used above -

• -a - Attach a virtual disk.
• -t - Type of virtual disk to attach
• -t proxy - proxy type virtual disk. "The actual backingstore for this type of virtual disk is controlled by a storage server accessed by the driver on this machine by sending storage I/O requests through a named pipe specified with -f." - in this case the "storage server" is devio.exe.
• -o - option. "Set or reset options."
• -o shm - "Can only be used with proxy-type virtual disks. With this option, the driver communicates with a storage server on the same computer using shared memory block to transfer I/O data." - in this case the "storage server" is devio.exe.
• -o ro - set virtual disk as read-only.
• -f - specify file/filename. This includes the unique shm name.
• -f vhd1 - use file vhd1 (name of Shared Memory device created in stage 1)

[Olof Lagerkvist]

Thanks for gathering all this information in a useful summary like this!

 

One thing, devio.exe supports dynamically expanding vhd image files in both read-only and read-write modes itself, it does not need libvhd.dll and libvhd_devio.dll etc for such files.

C:\> devio 9000 test.vhd
Successfully opened 'test.vhd'.
Detected dynamically expanding Microsoft VHD image file format.
VHD block size: 2097152 bytes. C/H/S geometry: 660/16/31.
Image size used: 167772160 bytes.
Detected a master boot record at sector 0.
Using partition 1.
Total size: 167772160 bytes. Using 164626432 bytes from offset 65536.
Required alignment: 1 bytes.
Buffer size: 67108864 bytes.
Waiting for connection on port 9000. Press Ctrl+C to cancel.