Some questions and observations about Arsenal Image Mounter (AIM). Information about this very useful suite of applications appears a bit scattered, so I thought it might be useful to start this topic.
The following information has been copied from the Arsenal Image Mounter GitHub page (here) -
Arsenal Image Mounter mounts the contents of disk images as complete disks in Microsoft Windows. Arsenal Image Mounter includes a virtual SCSI adapter (via a unique Storport miniport driver) which allows users to benefit from disk-specific features in Windows like integration with Disk Manager, access to Volume Shadow Copies, and more. As far as Windows is concerned, the contents of disk images mounted by Arsenal Image Mounter are “real” SCSI disks....
. The GitHub repository contains a lot of files and even with the included documentation it's a bit confusing knowing which files to use. This post is based on my understanding of the current files that you may want to use to test/use Arsenal Image Mounter.
Licensing is not covered in any detail in this topic and is a bit complicated due to a dual licence arrangement. Arsenal Image Mounter appears to be free for non-commercial use, with additional features available in a commercial version. Please refer to the GitHub page and the Arsenal Recon website (here) for more information.
The majority of the AIM tools have a .NET 4.0 dependency. The main reason for the .NET dependency appears to be due to the close integration of the DiscUtils library used to handle common disk image formats -
DiscUtils is a .NET library to read and write ISO files and Virtual Machine disk files (VHD, VDI, XVA, VMDK, etc). DiscUtils is developed in C# with no native code (or P/Invoke)....
. The following Arsenal Image mounter executables have a Graphic User Interface and I suspect that most people will use one of these files. Please note that they both have a .NET dependency -
ArsenalImageMounter.exe
ArsenalImageMounterMountTool.exe
The GUI tools listed above are very easy to use with a simple and intuitive User Interface, and will automatically handle driver installation. ____________________
Arsenal Image Mounter files include -
ArsenalImageMounter.exe - see post number #2
ArsenalImageMounterMountTool.exe - see post number #3
ArsenalImageMounterCLISetup.exe - see post number #4
ArsenalImageMounterGUISetup.exe - see post number #5
Driver files and DiscUtils are integrated in the ArsenalImageMounter.exe executable. Driver installation is handled by running the application - if the driver is not already installed then you will be prompted to install it -
This application requires a virtual SCSI miniport driver to create virtual
disks. The necessart driver is either not currently installed or the
currently installed driver is incompatible with the current version of this
application. Do you want to install the driver now?
. A range of common disk image formats including .vdi, .vhd and .vmdk are supported via DiscUtils embedded in the ArsenalImageMounter.exe executable. Some Forensic formats including Expert Witness Format (.e01) files are supported via libewf.dll, however this requires additional file/dependency downloads.
Recent versions of ArsenalImageMounter.exe are no longer available from the GitHub page, having been moved to the Arsenal Recon site following the commit dated 15th September 2017.
ArsenalImageMounter.exe Version 2.0.010 (originally uploaded to GitHub on September 10th 2015) is still available from GitHub via the Commit dated April 5th 2016 (and some earlier commits) -
. The most recent version of ArsenalImageMounter.exe (version 2.6.40 at the time of writing) is available from the Arsenal Recon website - please note that you will need to register for the Mailing List in order to be able to access downloads. Version 2.6.40 will run in Free Mode unless a License key is applied. The Professional version has a number of additional features including mounting .wim files. It's not clear from the Arsenal Recon site which features are locked in Free Mode and which are only available with the Professional license.
Version 2.6.40 screenshot -
Manually installing the latest version of the driver and then running version 2.0.010 may enable access to all features currently supported in Free Mode in the latest version - drivers can be manually installed using methods/tools documented below.
Please note that when the ArsenalImageMounter.exe executable is closed, any mounted images will be automatically unmounted - the UI needs to remain open to access any mounted images.
There do not appear to be any significant differences in features available in ArsenalImageMounterMountTool.exe (see below) or ArsenalImageMounter.exe running in Free Mode.
Driver files and DiscUtils are integrated in the ArsenalImageMounter.exe executable. Driver installation is handled by running the application - if the driver is not already installed then you will be prompted to install it -
This application requires a virtual SCSI miniport driver to create virtual
disks. The necessart driver is either not currently installed or the
currently installed driver is incompatible with the current version of this
application. Do you want to install the driver now?
. A range of common disk image formats including .vdi, .vhd and .vmdk are supported via DiscUtils embedded in the ArsenalImageMounterMountTool.exe executable. Some Forensic formats including Expert Witness Format (.e01) files are supported via libewf.dll, however this requires additional file/dependency downloads.
Please note that when the ArsenalImageMounter.exe executable is closed, any mounted images will be automatically unmounted - the UI needs to remain open to access any mounted images.
. There do not appear to be any significant differences in features available in ArsenalImageMounterMountTool.exe or ArsenalImageMounter.exe running in Free Mode.
Use this command-line tool to install/uninstall the Arsenal Image Mounter driver - and also to check Driver status (e.g. installed/uninstalled). Driver files are included in the binary.
This tool may be useful to install a more recent version of the Arsenal Image Mounter Driver for use with an older version of ArsenalImageMounter.exe (see above).
Use this GUI tool to install or uninstall the Arsenal Image Mounter driver. Driver files are included in the binary.
This tool may be useful to install a more recent version of the Arsenal Image Mounter Driver for use with an older version of ArsenalImageMounter.exe (see above).
aim_cli.exe is a command-line tool that shares many of the same features as the GUI ArsenalImageMounter.exe and ArsenalImageMounterMountTool.exe executables. aim_cli.exe has DiscUtils embedded, but does not include any embedded driver files and the driver will need to be installed using other methods (including aim_ll.exe, ArsenalImageMounterGUISetup.exe or ArsenalImageMounterCLISetup.exe). As DiscUtils is embedded a range of common disk image formats including .vdi, .vhd and .vmdk are supported.
Please note that when the aim_cli.exe console window is closed, any mounted images will be automatically unmounted - the console window needs to remain open to access any mounted images.
Output after running a command to mount a Dynamic type VDI file (note that Ctrl + C keys are required to unmount the disk) - .
Opening image file And mounting as virtual disk...
Virtual disk is \\?\PhysicalDrive2 with SCSI address Port = 2, Path = 0, Target
= 0, Lun = 0
Virtual disk created. Press Ctrl+C to remove virtual disk and exit.
aim_ll.exe (Arsenal Image Mounter Low Level) is a command line tool. It does not have any .NET dependencies and can be used to mount RAW images - including fixed type VHD files. It can be used with devio and other libraries (e.g. joachim metz' libyal) to mount image types not natively supported by aim_ll.exe.
Command line tools that provide access to most features of virtual SCSI miniport driver that is used with Arsenal Image Mounter. Command line syntax is very similar to that of ImDisk Virtual Disk Driver, so most commands and scripting work in a similar way. There are also command line switches for installing or uninstalling the virtual SCSI miniport driver.
. Please note that this tool has limited functionality compared to the .NET ArsenalImageMounter.exe, ArsenalImageMounterMountTool.exe and aim_cli.exe executables, which all have DiscUtils embedded. It is possible to mount RAW disk images, including NTFS sparse files and Fixed type VHD files, and can also be used to install/uninstall the Arsenal Image Mounter driver using aim_ll.exe.
Running aim_cli.exe will display the following help/info -
Spoiler
aim_cli.
Integrated command line interface to Arsenal Image Mounter virtual SCSI miniport driver.
For version information, license, copyrights and credits, type aim_cli /version
Syntax, automatically select object name and mount: aim_cli /mount[:removable|:cdrom] [/buffersize=bytes] [/readonly] /filename=imagefilename [/provider=DiscUtils|LibEwf|MultiPartRaw]
Syntax, start shared memory service mode, for mounting from other applications: aim_cli /name=objectname [/buffersize=bytes] [/readonly] /filename=imagefilename [/provider=DiscUtils|LibEwf|MultiPartRaw]
Syntax, start TCP/IP service mode, for mounting from other computers: aim_cli [/ipaddress=address] /port=tcpport [/readonly] /filename=imagefilename [/provider=DiscUtils|LibEwf|MultiPartRaw]
DiscUtils and MultiPartRaw support libraries are included embedded in this application. Libewf support needs libewf.dll, zlib.dll and msvcr100.dll as external dll files.
File version 2.8.046.0
____________________
Pleaes note that unlike the GUI tools ArsenalImageMounter.exe and ArsenalImageMounterMountTool.exe, mounted disks will need to be removed properly - closing the console window will not automatically unmount the virtual disk.
You may need to stop/start the service to remove a disk - or alternatively use aim_ll.exe (see above). The following aim_ll.exe command will remove all attached virtual disks -
aim_ll.exe -d
. ____________________
Mount existing disk image D:\dynamic_vhd.vhd -
aim_cli.exe /mount /filename=D:\dynamic_vhd.vhd
. Output -
Opening image file And mounting as virtual disk...
Virtual disk is \\?\PhysicalDrive4 with SCSI address Port = 2, Path = 0, Target
= 2, Lun = 0
Virtual disk created. Press Ctrl+C to remove virtual disk and exit.
. Output after pressing Ctrl+C to remove the disk -
Stopping service...
Service stopped.
Terminate batch job (Y/N)?
. ____________________
Mount existing disk image D:\dynamic_vhd.vhd as readonly -
. Run the following command to install the Arsenal Image Mounter driver from C:\AIMDrivers -
aim_ll.exe --install C:\AIMDrivers
. Output from running the command on Windows 8.1 -
Detected Windows kernel version 6.3.9600.
Platform code: 'Win8.1'. Using port driver storport.sys.
Reading inf file...
Creating device object...
Installing driver for device...
Finished successfully.
____________________
Run the following command to uninstall the Arsenal Image Mounter driver -
aim_ll.exe --uninstall
. Output from running the command on Windows 8.1 -
-a Attach a virtual disk. This will configure and attach a virtual disk with the parameters specified and attach it to the system.
-d Detach a virtual disk from the system and release all resources. Use -D to force removal even if the device is in use.
-R Emergency removal of hung virtual disks. Should only be used as a last resort when a virtual disk has some kind of problem that makes it impossible to detach it in a safe way. This could happen for example for proxy-type virtual disks sometimes when proxy communication fails. Note that this does not attempt to dismount filesystem or lock the volume in any way so there is a potential risk of data loss. Use with caution!
-e Edit an existing virtual disk.
Along with the -s parameter extends the size of an existing virtual disk.
Along with the -o parameter changes media characteristics for an existing virtual disk. Options that can be changed on existing virtual disks are those specifying wether or not the media of the virtual disk should be writable and/or removable.
-t type Select the backingstore for the virtual disk.
vm Storage for this type of virtual disk is allocated from virtual memory in the system process. If a file is specified with -f that file is is loaded into the memory allocated for the disk image.
file A file specified with -f file becomes the backingstore for this virtual disk.
proxy The actual backingstore for this type of virtual disk is controlled by a storage server accessed by the driver on this machine by sending storage I/O requests through a named pipe specified with -f.
-f file or -F file Filename to use as backingstore for the file type virtual disk, to initialize a vm type virtual disk or name of a named pipe for I/O client/server communication for proxy type virtual disks. For proxy type virtual disks "file" may be a COM port or a remote server address if the -o options includes "ip" or "comm".
Instead of using -f to specify 'DOS-style' paths, such as C:\dir\image.bin or \\server\share\image.bin, you can use -F to specify 'NT-style' native paths, such as \Device\Harddisk0\Partition1\image.bin. This makes it possible to specify files on disks or communication devices that currently have no drive letters assigned.
-l List configured devices. If given with -u or -m, display details about that particular device.
-n When printing listing devices, print only the unit number without other information.
-s size Size of the virtual disk. Size is number of bytes unless suffixed with a b, k, m, g, t, K, M, G or T which denotes number of 512-byte blocks, thousand bytes, million bytes, billion bytes, trillion bytes, kilobytes, megabytes, gigabytes and terabytes respectively. The suffix can also be % to indicate percentage of free physical memory which could be useful when creating vm type virtual disks. It is optional to specify a size unless the file to use for a file type virtual disk does not already exist or when a vm type virtual disk is created without specifying an initialization image file using the -f or -F. If size is specified when creating a file type virtual disk, the size of the file used as backingstore for the virtual disk is adjusted to the new size specified with this size option.
The size can be a negative value to indicate the size of free physical memory minus this size. If you e.g. type -400M the size of the virtual disk will be the amount of free physical memory minus 400 MB.
-b offset Specifies an offset in an image file where the virtual disk begins. All offsets of I/O operations on the virtual disk will be relative to this offset. This parameter is particularily useful when mounting a specific partition in an image file that contains an image of a complete hard disk, not just one partition. This parameter has no effect when creating a blank vm type virtual disk. When creating a vm type virtual disk with a pre-load image file specified with -f or -F parameters, the -b parameter specifies an offset in the image file where the image to be loaded into the vm type virtual disk begins.
Specify auto as offset to automatically select offset for a few known non-raw disk image file formats. Currently auto-selection is supported for Nero .nrg and Microsoft .sdi image files.
-S sectorsize Sectorsize to use for the virtual disk device. Default value is 512 bytes except for CD-ROM/DVD-ROM style devices where 2048 bytes is used by default.
-p "format-parameters" If -p is specified the 'format' command is invoked to create a filesystem when the new virtual disk has been created. "format-parameters" must be a parameter string enclosed within double-quotes. The string is added to the command line that starts 'format'. You usually specify something like "/fs:ntfs /q /y", that is, create an NTFS filesystem with quick formatting and without user interaction.
-o option Set or reset options.
ro Creates a read-only virtual disk. For vm type virtual disks, this option can only be used if the -f option is also specified.
rw Specifies that the virtual disk should be read/writable. This is the default setting. It can be used with the -e parameter to set an existing read-only virtual disk writable.
fksig If this flag is set, the driver will report a random fake disk signature to Windows instead of any existing one, in case the master boot record has otherwise apparently valid data.
sparse Sets NTFS sparse attribute on image file. This has no effect on proxy or vm type virtual disks.
rem Specifies that the device should be created with removable media characteristics. This changes the device properties returned by the driver to the system. For example, this changes how some filesystems cache write operations.
fix Specifies that the media characteristics of the virtual disk should be fixed media, as opposed to removable media specified with the rem option. Fixed media is the default setting. The fix option can be used with the -e parameter to set an existing removable virtual disk as fixed.
saved Clears the 'image modified' flag from an existing virtual disk. This flag is set by the driver when an image is modified and is displayed in the -l output for a virtual disk. The 'saved' option is only valid with the -e parameter.
Note that virtual floppy or CD/DVD-ROM drives are always read-only and removable devices and that cannot be changed.
cd Creates a virtual CD-ROM/DVD-ROM.
fd Creates a virtual floppy disk.
NOTE: cd and fd options are currently not supported by the driver.
hd Creates a virtual hard disk. This is the default.
raw Creates a device object with "controller" device type. The system will not attempt to use such devices as a storage device, but it could be useful in combination with third-party drivers that can provide further device objects using this virtual disk device as a backing store.
ip Can only be used with proxy-type virtual disks. With this option, the user-mode service component is initialized to connect to a storage server using TCP/IP. With this option, the -f switch specifies the remote host optionally followed by a colon and a port number to connect to.
comm Can only be used with proxy-type virtual disks. With this option, the user-mode service component is initialized to connect to a storage server through a COM port. With this option, the -f switch specifies the COM port to connect to, optionally followed by a colon, a space, and then a device settings string with the same syntax as the MODE command.
shm Can only be used with proxy-type virtual disks. With this option, the driver communicates with a storage server on the same computer using shared memory block to transfer I/O data.
awe Can only be used with file-type virtual disks. With this option, the driver copies contents of image file to physical memory. No changes are written to image file. If this option is used in combination with no image file name, a physical memory block will be used without loading an image file onto it. In that case, -s parameter is needed to specify size of memory block. This option requires awealloc driver, which is installed with ImDisk Virtual Disk Driver.
bswap Instructs driver to swap each pair of bytes read from or written to image file. Useful when examining images from some embedded systems and similar where data is stored in reverse byte order.
NOTE: This option is currently not supported by the driver.
par Parallel I/O. Valid for file-type virtual disks. With this flag set, driver sends read and write requests for the virtual disk directly down to the driver that handles the image file, within the SCSIOP dispatch routine. This flag is intended for developers who provide their own driver that handles image file requests. Such driver need to handle requests at DISPATCH_LEVEL at any time, otherwise system crashes are very likely to happen. *Never* use this flag when mounting image files! Use it *only* with special purpose drivers that can meet all neeed requirements!
-u devicenumber Six hexadecimal digits indicating SCSI path, target and lun numbers for a device. Format: LLTTPP. Along with -a, request a specific device number for the new device instead of automatic allocation. Along with -d or -l specifies the unit number of the virtual disk to remove or query.
-m mountpoint Specifies a drive letter or mount point for the new virtual disk, the virtual disk to query or the virtual disk to remove. When creating a new virtual disk you can specify #: as mountpoint in which case the first unused drive letter is automatically used.
Note that even if you don't specify -m, Windows normally assigns drive letters to new volumes anyway. This behaviour can be changed using the MOUNTVOL command line tool.
-P Persistent. Along with -a, saves registry settings for re-creating the same virtual disk automatically when driver is loaded, which usually occurs during system startup. Along with -d or -D, existing such settings for the removed virtual disk are also removed from registry. There are some limitations to what settings could be saved in this way. Only features directly implemented in the kernel level driver are saved, so for example the -p switch to format a virtual disk will not be saved.
NOTE: Registry settings for auto-loading devices are currently not supported by the driver, so this switch has currently no effect.
From aim_ll.exe File version 1.0.11.28
____________________
Mount disk image D:\fixed_vhd.vhd -
aim_ll.exe -a -f D:\fixed_vhd.vhd
. Output from running the above command -
Creating device...
Created device 000000 -> D:\fixed_vhd.vhd
Disk device is \\?\PhysicalDrive2
No volumes attached. Disk could be offline or not partitioned.
Done.
. Device mounted as Disk 2 (\\.\PhysicalDisk2) ____________________
Mount disk image D:\NTFS_sparse.img as read only (-o ro parameter) -
aim_ll.exe -a -o ro -f D:\NTFS_sparse.img
. Output from running the above command -
Creating device...
Created device 000100 -> D:\NTFS_sparse.img
Disk device is \\?\PhysicalDrive3
No volumes attached. Disk could be offline or not partitioned.
Done.
. Device mounted as Disk 3 (\\.\PhysicalDisk3) ____________________
Diskpart output after mounting D:\fixed_vhd.vhd and D:\NTFS_sparse.img
Microsoft DiskPart version 6.3.9600
Copyright (C) 1999-2013 Microsoft Corporation.
On computer: W530
DISKPART> list disk
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 223 GB 0 B
Disk 1 Online 57 GB 0 B
Disk 2 Online 1024 MB 1024 MB
Disk 3 Online 2048 MB 2048 MB
. Disk 0 = internal HDD Disk 1 = USB Drive Disk 2 = Fixed type VHD (D:\fixed_vhd.vhd) file mounted using aim_ll.exe Disk 3 = NTFS Sparse disk image (D:\NTFS_sparse.img) mounted using aim_ll.exe
____________________
List (AIM) mounted disk images (command is lower case L (for list)) -
aim_ll.exe -l
. Output from the above command with D:\fixed_vhd.vhd and D:\NTFS_sparse.img mounted -
Device number 000100
SCSI port number 2 device number 000100
Image file: \??\d:\ntfs_sparse.img
Size: 2147483648 bytes (2 GB), ReadOnly, Queued I/O Image File, HDD.
Disk device is \\?\PhysicalDrive3
Device number 000000
SCSI port number 2 device number 000000
Image file: \??\d:\fixed_vhd.vhd
Size: 1073742336 bytes (1 GB), Queued I/O Image File, HDD.
Disk device is \\?\PhysicalDrive2
2 devices found.
. ____________________
Dismount virtual disk using AIM device number (device numbers are in hexadecimal format as displayed by running aim_ll.exe -l) - device 000000 is d:\fixed_vhd.vhd
aim_ll.exe + devio + libyal - overview and download links
aim_ll.exe can be used to mount raw disk images - native support for other disk image formats including common types such as .vmdk, .vdi and expandable type .vhd files is not implemented. DiscUtils is integrated with other Arsenal Image Mounter executables including aim_cli.exe, ArsenalImageMounter.exe and ArsenalImageMounterMountTool.exe - whilst these programs support a wider range of image types, they require .NET 4.*.
In some usage cases .NET may not be available. It is possible to use a combination of aim_ll.exe + devio.exe + a custom proxy dll and libyal to access some of the more commonly used disk image formats.
.... is a collection of libraries that are used to access various data formats, such as the OLE Compound File or NT File System. The original use case for the libraries is for analyzing data formats or their content for analysis in the context of digital forensics and incident response (DFIR)....
Device I/O Service... With support for Microsoft VHD format, custom DLL files and shared memory proxy operation....
. Accessing disk images using libyal involves two distinct stages (these are covered in more detail in the next post) -
Stage 1- run devio.exe to create a shared memory device
Stage 2- run aim_ll.exe to access the shared memory device created in stage 1
. Please note that a shared memory device is a means of passing data between different programs - in this case devio and aim_ll.exe. The first program (devio) creates the device and the second program (aim_ll.exe) accesses it using the unique name given to the device when it was created.
A number of proxy .dll files/packages for use with aim_ll.exe (and ImDisk), which include some libyal libraries, are available. ____________________
. Please note the following information from Olof - "...I am about to recompile libewf, libvhdi, libvmdk, libsmraw and libodraw so that they use only system dlls and no particular VC++ runtime dlls. It looks right now like the x86 versions will require minimum Windows 2000 and the x64 minimum Windows Server 2003 or XP. I will also make some small corresponding libewf_devio.dll, libvmdk_devio.dll etc files for use with devio..." (from here) ____________________
. Please note that some of these packages may require VC++ runtime dlls. The latest release of VMDK Proxy for ImDisk refers to a dependency "...on msvcrt.dll and no longer on msvcrtxxx.dll..." - with previous versions clearly having other msvcrtxxx.dll dependencies. I'm not sure which of the above Pacages may have other dependencies.
Please also note that Erwan's packages are 32-bit. Some, but not all, include devio.exe.
Stage 2 - run aim_ll.exe + access the shared memory device (with unique name) created in stage 1.
Command syntax -
aim_ll.exe -a -t proxy -o shm -f unique_name_for_shm
. Example to connect to the shared memory device created in the Stage 1 examples (with unique_name_for_shm - vhd1)
aim_ll.exe -a -t proxy -o shm -f vhd1
. Another example, with virtual device created as Readonly (-o ro parameter added)
aim_ll.exe -a -t proxy -o shm -o ro -f vhd1
. Output from running the aim_ll.exe -a -t proxy -o shm -f vhd1 command -
Creating device...
Created device 000000 -> vhd1
Disk device is \\?\PhysicalDrive2
Attached disk volume \\?\Volume{1b6fb1a6-9024-11e9-827b-005056c00008}
Done.
. Breakdown of the aim_ll.exe parameters/commands used above -
-a - Attach a virtual disk.
-t - Type of virtual disk to attach
-t proxy - proxy type virtual disk. "The actual backingstore for this type of virtual disk is controlled by a storage server accessed by the driver on this machine by sending storage I/O requests through a named pipe specified with -f." - in this case the "storage server" is devio.exe.
-o - option. "Set or reset options."
-o shm - "Can only be used with proxy-type virtual disks. With this option, the driver communicates with a storage server on the same computer using shared memory block to transfer I/O data." - in this case the "storage server" is devio.exe.
-o ro - set virtual disk as read-only.
-f - specify file/filename. This includes the unique shm name.
-f vhd1 - use file vhd1 (name of Shared Memory device created in stage 1)
Thanks for gathering all this information in a useful summary like this!
One thing, devio.exe supports dynamically expanding vhd image files in both read-only and read-write modes itself, it does not need libvhd.dll and libvhd_devio.dll etc for such files.
C:\> devio 9000 test.vhd
Successfully opened 'test.vhd'.
Detected dynamically expanding Microsoft VHD image file format.
VHD block size: 2097152 bytes. C/H/S geometry: 660/16/31.
Image size used: 167772160 bytes.
Detected a master boot record at sector 0.
Using partition 1.
Total size: 167772160 bytes. Using 164626432 bytes from offset 65536.
Required alignment: 1 bytes.
Buffer size: 67108864 bytes.
Waiting for connection on port 9000. Press Ctrl+C to cancel.