Digital Forensics Tool - Arsenal Image Mounter
Arsenal Image Mounter (AMI) is a powerful forensic tool for mounting and analyzing disk images. Unlike traditional disk mounting tools, AIM allows forensics investigators to mount disk images (including E01, VHD, VMDK, and raw formats) directly into the Windows kernel as complete disk devices, ensuring that the mounted images behave exactly like physical disks. This enables forensic professionals to perform advanced analysis, such as retrieving hidden data, unallocated space, or deleted files that standard mounting methods might overlook.
AIM supports various write-protection options to prevent any modifications to the original disk images, ensuring forensic integrity throughout the analysis. The tool is often used with other forensics software for profound evidence investigation, making it ideal for incident response, digital forensics investigations, and legal proceedings. With Arsenal Image Mounter, users can also mount snapshots of virtual machine disks, making it a versatile solution for investigating physical and virtual environments. The detailed logs and reports generated during mounting sessions can be exported for further forensics analysis and case documentation.
Arsenal Image Mounter: Mounting Disk Image
Go to File > Mount Disk Image
Select Disk Image File, usually disk image has E01, VHD, VMDK file extensions.
Arsenal Image Mounter: Ensuring Disk Integrity
Read-only mode ensures disk integrity by preventing any modifications to the data stored on the disk. This safeguards the system from unintended changes, file corruptions, or malicious attacks, ensuring that the original state of the data is preserved.
In forensics investigations, mounting a disk as read-only ensures that the evidence remains untouched, which is crucial for maintaining its validity in court. This method guarantees that the digital evidence can be trusted and upheld in legal proceedings by preventing alterations.
Since the disk is used in Windows systems, we assume the file system is NTFS which explains the 512 sector size.
Arsenal Image Mounter: Interpreting the Output
The tool identifies the disk as PhysicalDrive1 with a size of 18GB and detects the presence of Volume Shadow Copies. These shadow copies are snapshots created by the Windows Volume Shadow Copy Service(VSS), which can provide valuable forensic evidence by allowing access to previous versions of files or deleted data.
