Mounting vmdk image using AIM (gui or cli) on a virtual machine does not work

[gregben796]

Hi,

I'm trying to mount a .vmdk image with the command-line tool aim_cli.exe. To do so, I use the following command :

.\aim_cli.exe /mount /readonly /filename="E:\VirtualMachine\Win10Bitlocker\WinDev2003Eval-disk001.vmdk" /provider=DiscUtils

When I run this command on my host computer (Windows 10 Pro), I do not have any problem. All the drives are mounted correctly and I can access my data. However, when I run the same command on my virtual machine (Windows 10 Entreprise Eval), it does not work anymore. There is no drive mounted but I do not have any error message.

I also tried the gui tool ArsenalImageMounter.exe but the result is the same as you can see below (the first screenshot comes from the host and the second one from the VM).

I thought the problem could come from missing dependencies and especially DiscUtils but I did not manage to solve this issue. I tried to install last version of .NET and also tried different versions of AIM (v3.1.101 and v3.1.107 downloaded from https://arsenalrecon.com/downloads/).

Do you have any idea to solve this issue ?

Thank you

[LTRData]

Thanks for your report. I do not think we have seen any similar problem before. There should be no need to upgrade .NET or any other components on Windows 10 either. Not sure really where to start here, but if you open Disk Management in Windows in the virtual machine, does it show any messages about the mounted virtual disk? Is there anything in system event log that could give any clues?

[gregben796]

Thank you for your quick reply.

I have just check the diskmgmt and here is the result I get when I use provider=DiscUtils. The disk is not initialized, but I can't initialize it by myself because it is mounted in readonly.

I also tried to mount the vmdk image with provider=None to compare. Apparently, the disk is not initialized neither but in this case, even the size of the disk is not correct (40Go). In fact, the image I am trying to mount is the vmdk of the VM I am working on. So Disk1 should be similar to Disk0.

It seems that the disk is recognized (127Go) but fail to initialize. When I check the diskmgmt from my host computer, everything is fine, the vmdk is mounted and I have 2 partitions (the "System Reserved" one and the "Bitlocker" one).

[LTRData]

Ah, "In fact, the image I am trying to mount is the vmdk of the VM I am working on. So Disk1 should be similar to Disk0." There is the problem. You cannot have two disks with identical signatures online simultaneously in Windows. This means that you cannot mount an image of a system disk within the OS booted from that system disk. If you mount it read/write and online the disk in Disk Management, Windows will automatically create a new disk signature for it, which will invalidate any directory mount points, BCD records etc that might point to partitions within that image.

To workaround this problem, we have the "fake disk signature" option in Arsenal Image Mounter. I would recommend that you try that and see if it helps!

[gregben796]

Oh all right, I did not know that. I had never faced this issue before.

I will take a look at the 'fake disk signature' and I could still use another VM to mount the vmdk image. I use this particular image to make some tests but at the end, it won't be used on my own image so it would not be a problem anymore.

Thanks a lot for your help.