Fwd: [Vol-users] libewf on Windows (I know, I know!)
jared703 at gmail.com
Tue Aug 16 12:54:55 CDT 2016
I haven't been in this EWF situation for memory yet but I'd probably try
vol.exe -f image.e01 --profile=<yourprofile> -O image.raw
If that didn't work, I'd use Tom's #2 and load the .E01 in FTK imager and
image that mounted volume.
If that didn't work I'd try load the evidence into encase 7.x - right click
on the evidence --> evidence --> device --> share --> Mount as Emulated
Disk and then use FTK imager to image that mounted volume to .raw
On Tue, Aug 16, 2016 at 11:03 AM, Tom Yarrish <tom at yarrish.com> wrote:
> IIRC volatility should be able to handle an E01 file natively now (unless
> that's a *nix only thing). But another option would be either 1) Arsenal
> Image Mounter (which works much better than FTK, EnCase, etc IMO) or 2) Use
> FTK to covert the E01 image to a RAW image file and then just run that
> through volatility.
> PGP Key ID - B32585D0
> On Tue, Aug 16, 2016 at 2:39 PM, Bridgey theGeek <bridgeythegeek at gmail.com
> > wrote:
>> Hi all,
>> Because the universe hates me, I've been given an E01 of a RAM dump (from
>> Win7SP1x64) and I have to use Windows to run Volatility.
>> I have p99 of tAoMF in front of me.
>> I tried the "Mount in FTK Imager and point to Z:\unallocated space"
>> thing, but pslist showed only 1 entry which looked very corrupt.
>> I don't have access to EnCase to mount it from there.
>> So I'd like to use libewf. But can I even use it on Windows?? If I
>> compile the library, how do I tell Volatility about the libewf.dll?
>> Basically, how do I use Volatility with libewf on Windows?
>> Thank you,
>> Vol-users mailing list
>> Vol-users at volatilityfoundation.org
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Vol-users