 Welcome back everyone. Today I want to talk about Arsenal Image Mountr 3.9 and they've added three features that are just amazing. So I thought I should talk about them. So the first one, we're going to look at a Linux disk image. I'm using the magnet Lenovo disk image, we can mount it as disk device read only. And if we do that, then it will show up as a logical volume in Windows, we can do a disk device write temporary, it'll also show up as a logical volume, but we can actually write to it. We're going to select that one and then select delete differencing file after unmount. So basically any writes are sent to a temporary file, instead of to the actual suspect data. We could also do Windows file system driver bypass read only problem with this is we're looking at a Linux image. So this isn't a Windows image. So this wouldn't work for us. Then click OK. So now we have our Linux image mounted on eDrive. What I can do next is launch VM and launch VM requires Hyper-V installed on Windows, you do have to have a Windows Pro version unless you do something kind of hacky, and then you can get it for Windows home. You want to try Hyper-V out I'll give some instructions below. Okay, so we can do launch VM. And really the new thing that I want to show you is bypass Linux authentication has been added. So if we click that, click OK. Now the virtual machine is going to start up this image does have a user password set. So here we see the user login account, if I just click on it, and I'm in so they've already bypassed the user password. Now I can go to things like the user's browser, go to passwords. And then we can see different accounts that have been saved. And we can see what their actual password is. What this doesn't do is unlock the key ring. So it allows you to log in and you can get access to anything that the user has permissions for. But things like the key ring are not automatically unlocked, or at least it doesn't seem like they are. So that's Linux authentication bypass. Now I can go in and interact with the system just like I was the user. Next we can do basically the same thing for windows. Go to mount disk image, select the image that we want. I'm going to choose lone wolf because I think everyone's familiar with that one. Same idea disk device read only disk device right temporary. I'm going to go ahead and select right temporary, delete differencing file after unmount. Click OK. It's now mounting and you can see we have local disk e g and h in the Explorer menu. If I click on e, then we get something that looks a lot like the system drive for a windows system. And it is actually this drive was mounted under e. Now I can search the suspects data directly from my system using whatever tool I choose to recovery is exactly what we expect an H we don't have access to. There's a lot of different options now with windows systems, but we're going to go ahead and launch VM. So this looks a little bit different than the Linux system. We have a few more options and they're all specific to windows. We can do things like inject aim virtual machine tools and adjust boot drivers. We want to do that with last windows shutdown time and then bypass windows authentication. That's what we're interested in here. And we specifically want to try to bypass data protection API or DP API and any accounts where data protection API can be bypassed should be detected here and we do have one account that's detected. Click that click OK. Now we have our J Cloudy account and there's the password field. If I just hit enter, I'll be able to go in because we bypassed authentication. Now I can see the user's desktop as they would have used it. I can also open up their browser and it says wasn't shut down correctly. Do you want to restore pages? We could potentially restore that. I'm not going to. And then we can go to settings, advanced passwords and forms, manage passwords. We can see the websites that were saved the username for that website and then the password that they were using and unlock that password. Unlike Linux, Windows uses data protection API and it doesn't use that key ring. So we don't have to unlock a key ring. As soon as we bypass data protection API, we can get access to this kind of information. And the final thing I want to show I'm going to mount disk image. We're going to choose a Windows image here. So lone wolf again, disk device write temporary, delete differencing file after unmount. So now it's mounted. We have our mount points here. I'm going to go to advanced and enable virtual DD. And this is one of my favorite features because now we have a mount point for virtual DD that is F. So if I click on F virtual DD, then you can see that we have a what looks like a DD image for every single one of our logical devices and our physical devices. Let's go look at this. This was physical device, physical drive two. So we have a physical drive two dot DD arsenal image mounter is providing raw disk access to every device on your system. So if your tools only take raw data, then you can use enable virtual DD, you'll get access to all the devices on your system via dot DD kind of virtual image. And then you can process it using your tools. So if you watch this channel for a while, you know that I love command line and a lot of tools from command line only like more dealing with raw data. Okay, so we can go ahead and CD into F drive. And this is our virtual DD drive. We have our physical drive to here we have all the physical drives plus our logical drive. So I'm going to focus on physical drive two. So I'm going to use strings physical drive DD and then more. And then we can see here invalid partition table error loading operating system that looks like the beginning of a disk. And then I can just do a quick string extraction from that raw data device, providing that DD functionality is very useful because we started with an easy row one which is usually compressed. And from that we can very easily without imaging get access to a raw device in case your tools don't support easy row one. So those three features were worth sharing Linux authentication bypass windows authentication bypass and virtual DD. So go check out arsenal image mount or some really cool stuff happening there.