Windows and Linux Authentication Bypass with AIM
Summary
TLDRIn this video, the presenter introduces three impressive features of Arsenal Image Mounter 3.9. The first feature allows mounting Linux disk images as read-only or writeable logical volumes, with options to bypass Linux authentication, providing access to user data without needing a password. The second feature demonstrates mounting Windows disk images for direct data recovery. The third feature, enabling Virtual DD, offers raw disk access to all devices, useful for tools requiring raw data input. The video highlights the ease of accessing passwords and system data, showcasing Arsenal Image Mounter's capabilities for forensic analysis.
Takeaways
- 🚀 Arsenal Image Mounter 3.9 introduces three new features that enhance its capabilities.
- 🔒 The first feature allows mounting Linux disk images as read-only or read-write, with changes written to a temporary file.
- 🔓 A Linux authentication bypass is included, enabling access to the user's data without needing the password.
- 🖥️ Launch VM is a new feature requiring Hyper-V, allowing the examination of an image within a virtual machine environment.
- 🔐 For Windows systems, the tool can bypass the Data Protection API, providing access to saved passwords and forms.
- 📂 The tool can mount disk images and present them as logical volumes, allowing direct access to the suspect's data.
- 🔄 Write operations to the mounted disk image can be redirected to a temporary differencing file, preserving the original data.
- 🔄 The 'delete differencing file after unmount' option allows for temporary changes to be discarded upon unmounting.
- 🔑 The Linux authentication bypass does not unlock the keyring, limiting access to user-permissioned data only.
- 🔍 The tool provides raw disk access via virtual DD images, useful for tools that require raw data input.
- 🛠️ Arsenal Image Mounter's features are particularly useful for forensic analysis, offering a range of options for different operating systems.
Q & A
What is Arsenal Image Mounter 3.9?
-Arsenal Image Mounter 3.9 is a software that allows users to mount disk images and interact with them as if they were physical drives, with new features for enhanced functionality.
What are the three new features added in Arsenal Image Mounter 3.9?
-The three new features are Linux authentication bypass, Windows authentication bypass, and the ability to enable virtual DD for raw disk access.
How can one mount a Linux disk image as a read-only disk device in Arsenal Image Mounter 3.9?
-By selecting the disk image and choosing the 'disk device read only' option, it will show up as a logical volume in Windows, allowing read-only access.
What does 'delete differencing file after unmount' mean in the context of Arsenal Image Mounter 3.9?
-This option means that any changes made to the mounted image are stored in a temporary file instead of the actual disk image, and this file is deleted once the image is unmounted.
Why might the Windows File System Driver Bypass feature not work for a Linux image?
-The Windows File System Driver Bypass is designed for Windows images and would not be effective for Linux images due to differences in file system structures and access mechanisms.
What is the significance of launching a VM with Arsenal Image Mounter 3.9?
-Launching a VM allows users to interact with the mounted image as if it were a live system, which requires Hyper-V to be installed on a Windows Pro version or equivalent setup.
How does the Linux authentication bypass feature work in Arsenal Image Mounter 3.9?
-The Linux authentication bypass feature allows users to log in to the system without needing the user password, providing access to all files and data the user has permissions for.
What limitations does the Linux authentication bypass have regarding access to certain system components?
-While it allows login and access to user-permissioned data, the Linux authentication bypass does not automatically unlock the key ring, which may restrict access to certain secured elements of the system.
How does the Windows authentication bypass differ from the Linux version in Arsenal Image Mounter 3.9?
-The Windows authentication bypass not only allows login without a password but also provides access to data protected by the Data Protection API (DPAPI), including passwords saved in browsers and other applications.
What is the purpose of enabling virtual DD in Arsenal Image Mounter 3.9?
-Enabling virtual DD provides a mount point for each logical and physical device as if they were .dd images, allowing raw disk access for tools that require it, without the need for imaging.
How can the virtual DD feature be utilized for forensic analysis?
-The virtual DD feature allows forensic analysts to extract raw data from mounted images using command-line tools or other software that operates on raw disk images, facilitating a more direct and efficient analysis process.
Outlines
🔒 Linux and Windows Authentication Bypass with Arsenal Image Mounter 3.9
This paragraph introduces the new features in Arsenal Image Mounter 3.9, focusing on the ability to bypass authentication for both Linux and Windows systems. The speaker demonstrates mounting a Linux disk image as a read-only device and then as a temporary writable device, which allows for writing to a temporary file instead of the original data. The key feature highlighted is the bypassing of Linux user authentication, which enables access to user data without needing the user's password. The speaker also discusses the limitations of this feature, such as the inability to unlock the key ring. Additionally, the paragraph covers the process of launching a virtual machine (VM) using the mounted image and the new feature of bypassing Windows authentication, including bypassing the Data Protection API (DPAPI) for certain accounts.
🛠️ Raw Disk Access and Virtual DD with Arsenal Image Mounter
The second paragraph delves into the advanced capabilities of Arsenal Image Mounter for accessing and analyzing disk images. The speaker explains how to enable virtual DD, which provides a mount point for a virtual DD image for every logical and physical device on the system. This feature is particularly useful for tools that require raw data access. The speaker illustrates this by navigating to the virtual DD drive and using the 'strings' command to extract data from a physical drive image, demonstrating the ease with which raw disk access can be achieved. The paragraph concludes by emphasizing the value of these features for forensic analysis, especially when dealing with compressed e01 images and the need for raw data extraction without imaging.
Mindmap
Keywords
💡Arsenal Image Mounter 3.9
💡Linux disk image
💡Logical volume
💡Differencing file
💡Hyper-V
💡Bypass Linux authentication
💡Key ring
💡Data Protection API (DPAPI)
💡Virtual DD
💡Strings
Highlights
Introduction of Arsenal Image Mounter 3.9 with three new features.
Ability to mount a Linux disk image as a read-only disk device, showing up as a logical volume in Windows.
Option to write to a disk image temporarily with changes saved to a differencing file.
Bypassing Linux authentication to access user data without the need for a password.
Launch VM feature requiring Hyper-V installed on Windows Pro or a workaround for Home versions.
Access to user's browser and saved passwords post authentication bypass.
Limitation of Linux authentication bypass not unlocking the key ring.
Mounting a Windows disk image with options for read-only or temporary write access.
Direct access to suspect's data from the system using recovery tools.
Bypassing Windows authentication including Data Protection API (DPAPI).
Detection of accounts where DPAPI can be bypassed.
Access to user's desktop and browser history post Windows authentication bypass.
Recovery of saved website credentials including usernames and passwords.
Introduction of Virtual DD feature providing raw disk access to every device on the system.
Use of Virtual DD for tools that require raw data access without imaging.
Command line tools compatibility with raw data extraction from Virtual DD.
Arsenal Image Mounter's innovative features for digital forensics and data recovery.
Transcripts
welcome back everyone today I want to
talk about Arsenal image mounter 3.9 and
they've added three features that are
just amazing so I thought I should talk
about them so the first one we're going
to look at a Linux disk image I'm using
the magnet Lenovo disk image we can
mount it as disk device read only and if
we do that then it will show up as a
logical volume in Windows we can do a
disk device right temporary it'll also
show up as a logical volume but we can
actually write to it and we're going to
select that one and then select delete
differencing file after unmount so
basically any rights are sent to a
temporary file instead of to the actual
suspect data we could also do Windows
File system driver bypass read only
problem with this is we're looking at a
Linux image so this isn't a Windows
image so this wouldn't work for us then
click ok so now we have our Linux image
mounted on e Drive what I can do next is
launch VM and launch VM requires hyper-v
installed on Windows you do have to have
a Windows pro version unless you do
something kind of hacky and then you can
get it for Windows was home you want to
try hyper B out I'll give some
instructions below okay so we can do
launch VM and really the new thing that
I want to show you is bypass Linux
authentication has been added so if we
click that click ok now the virtual
machine is going to start up this image
does have a user password set so here we
see the user login account if I just
click on it and I'm in so they've
already bypassed the user password now I
can go to things like the user's browser
go to passwords and then we can see
different accounts that have been saved
and we can see what their actual
password is what this doesn't do is
unlock the key ring so it allows you to
log in and you can get access to
anything that the user has permissions
for but things like the key ring are not
automatically unlocked or at least it
doesn't seem like they are so that's
Linux authentication bypass now I can go
in and interact with the system just
like I was the user next we can do
basically the same thing for Windows go
to mount disk image select the image
that we want I'm going to choose Lone
Wolf because I think everyone's familiar
with that one same idea disk device read
only disk device right temporary I'm
going to go ahead and select write
temporary delete differencing file after
unmapped click OK it's now mounting and
you can see we have local disk e g and H
in the Explorer menu if I click on E
then we get something that looks a lot
like the system drive for a Windows
system and it is actually this drive was
mounted under e now I can search the
suspect's data directly from my system
using whatever tool I choose to recovery
is exactly what we expect in h we don't
have access to there's a lot of
different options now with Windows
systems but we're going to go ahead and
launch VM so this looks a little bit
different than the Linux system we have
a few more options and they're all
specific to Windows we can do things
like inject aim virtual machine tools
and adjust boot drivers we want to do
that boot with last Windows shutdown
time and then bypass Windows
authentication that's what we're
interested in here and we specifically
want to try to bypass data protection
API or DP eapi and any accounts where
data protection API can be bypassed
should be detected here and we do have
one account that's detected click that
click ok so now we have our jcloudy
account and there's the password field
if I just hit enter I'll be able to go
in because we've bypassed authentication
now I can see the user's desktop as they
would have used it I can also open up
their browser and it says it wasn't shut
down correctly do you want to restore
Pages we could potentially restore that
I'm not going to and then we can go to
settings Advanced passwords and forms
manage passwords we can see the websites
that were saved the username for that
website and then the password that they
were using and unlock that password
unlike Linux Windows uses data
protection API and it doesn't use that
key ring so we don't have to unlock a
key ring as soon as we bypass data
protection API we can get access to this
kind of information and the final thing
I want to show I'm going to mount disk
image we're going to choose a Windows
image here so lone wolf again disk
device write temporary delete
differencing file after unmount so now
it's mounted we have our Mount points
here I'm going to go to Advanced and
enable virtual DD and this is one of my
favorite features because now we have a
mount point for virtual DD that is f so
if I click on F virtual DD then you can
see that we have a what looks like a DD
image for every single one of our
logical devices and our physical devices
let's go look at this this was physical
device physical Drive 2 okay so we have
a physical Drive 2.dd Arsenal image
mounter is providing raw disk access to
every device on your system so if your
tools only take raw data then you can
use enable virtual DD you'll get access
to all the devices on your system via
DOT DD kind of virtual image and then
you can process it using your tools so
if you've watched this channel for a
while you know that I love command line
and a lot of tools from command line
only like more dealing with raw data
okay so we can go ahead and CD into F
drive and this is our virtual DD drive
we have our physical Drive 2 here we
have all the physical drives plus our
logical drives so I'm going to focus on
physical Drive 2 so I'm going to use
strings physical Drive DD and then more
and then we can see here invalid
partition table error loading operating
system that looks like the beginning of
a disk and then I can just do a quick
string extraction from that raw data
device providing that DD functionality
is very useful because we started with
an e01 which is usually compressed and
from that we can very easily without
Imaging get access to a raw device in
case your tools don't support easy Row
one so I thought those three features
were worth sharing Linux authentication
bypass Windows authentication bypass and
virtual DD so go check out Arsenal image
mounter some really cool stuff happening
there
Посмотреть больше похожих видео
Document Management System Software Demo / Tutorial / Overview FOLDERIT
L-7.1: File System in Operating System | Windows, Linux, Unix, Android etc.
Difference between RAM and Hard Disk
15 Powerful Claude Artifacts Use Cases You Should Try
Introduction to Cyber Triage - Fast Forensics for Incident Response
How to Create a Custom Windows 10 Image For Deployment | How to Make a Custom Windows 10 ISO
5.0 / 5 (0 votes)