Using AIM With WinFE

Arsenal Image Mounter Remote Agent (a/k/a AIM Remote Agent) is a CLI application which runs on Windows, Linux, and BSD that makes disks available to Arsenal Image Mounter over a network. Arsenal strongly recommends that AIM Remote Agent be run from a forensically-sound boot environment that is compatible with Secure Boot and ensures disks are kept offline and read only at all times. So, you can probably see where we are going with this - WinFE and AIM Remote Agent work great together, and in turn will work great for you!

---

Once a disk is made available to AIM via AIM Remote Agent, any of AIM's mount modes can be selected. For example, if write temporary mode is selected, AIM's write filter will be applied on the forensic workstation running AIM to facilitate interaction with the remote disk as if it was a locally attached, writable, and complete (a/k/a “physical” or “real”) disk - allowing AIM to do things which include interacting with the remote disk's BitLocker, mounting its Volume Shadow Copies using multiple methods, and launching it into a virtual machine.

---

---

---

---

---

AIM Remote Agent uses UDP broadcasts and TCP connections on ports 9000 and 9001. You may be asked by your host firewall (e.g. Windows Firewall) when starting AIM whether AIM should be allowed to use various networks (e.g. domain, private, and public) to communicate with AIM Remote Agents.

---

Assuming that a disk has been made available with AIM Remote Agent, and AIM is running on the same network as AIM Remote Agent, AIM will automatically display the remote disk unless network filtering is interfering. A manual connection between AIM and the AIM Remote Agent can be accomplished via the "Advanced/Manually connect to AIM Remote Agent..." option.

AIM can be connected to multiple AIM Remote Agents in the same session. If additional drive letters are no longer available on AIM's end, remote disks will still be mounted by AIM but mount points will need to be created manually.

Please note:

• Using AIM Remote Agent to connect a remote disk to AIM over a network introduces unique variables when compared to locally connecting a disk image or actual physical disk to AIM - for example, a network switch or hub, network cables, and network drivers on both the AIM Remote Agent and AIM ends. It is important to have confidence in the hardware and drivers being used to establish connections between AIM Remote Agent and AIM.

• It is technically possible for AIM to write to the original disk made available by AIM Remote Agent, but this would require both that the bootable environment allow write access to the disk and that a write original mount mode is selected in AIM after a connection to AIM Remote Agent has been established.

• AIM Remote Agent is designed to be used on secure local area networks. If encrypted communications are desired, tools like stunnel can be used.