Brett's Blog

Just some ramblings.

A Quicker Way to the Shadow Volumes and Dealing with Win 8 VHDXs

Arsenal Image Mounter (AIM) is a new image-mounting tool from Arsenal Recon.  Not only is it free, but the folks at Arsenal have been gracious in lending support.  AIM employs a special SCSI driver that lets us mount image files of various types so that Windows Disk Manager can see our mounted image (a pseudo disk, as I like to call it) as an actual disk. This innovation allows us to access shadow volumes in a completely new way and avoid converting images to, for example, VHD files.  AIM also can mount our image as write protected or as writable.  I won’t go into more depth on AIM’s features, as you can visit the web site to learn more and acquire a copy.

Heretofore, Windows would not enumerate shadow volumes on images mounted with the most popular tools, e.g., FTK Imager, Mount Image Pro, etc.  A notable exception is a Windows virtual disk file (VHD), which is not used to an appreciable extent, if at all, as the target of a disk image file in computer forensics.  I’ve explained before how to work with these virtual disks with respect to the Window 7 variety (VHD).  Windows 8 brings a new format, which is the VHDX file, which I’ll mention again later.  For now, suffice it to say that there no longer is a need to convert a dd image to a VHD if your goal is access shadow volumes on your host system.  As I’ve demonstrated in my VHD post, the conversion required the addition of data to the end of your dd image.  While that made an easily reversible change to an original image file, some folks were not comfortable doing so and chose to create a spare dd file.

Let’s take a closer look at AIM and how it can help us get to shadow volumes very handily.  I’m going to work with a dd image of a Windows 7 system, though there is no difference with an E01.  In the following screenshot, I’ve opened AIM and navigated to my image file (001).


Next, we’ll see the window that AIM presents after I select the image.  I’m going to maintain the default options, which the screenshot depicts.  Typically, we don’t have to ask AIM to fake (cache) a disk signature, which AIM allows because Windows won’t mount a disk if it does not have a signature.  I’ve seen only one case in which a disk signature was absent, and it concerned a VHD file created by Windows 7’s system image feature.  Note than AIM handles 4KB (and other) sectors.

Continue reading
90 Hits