Fwd: [Vol-users] libewf on Windows (I know, I know!)

Jared Greenhill jared703 at gmail.com
Tue Aug 16 12:54:55 CDT 2016


Bridgey,

I haven't been in this EWF situation for memory yet but I'd probably try
imagecopy first:

vol.exe -f image.e01 --profile=<yourprofile> -O image.raw

If that didn't work, I'd use Tom's #2 and load the .E01 in FTK imager and
image that mounted volume.

If that didn't work I'd try load the evidence into encase 7.x - right click
on the evidence --> evidence --> device --> share --> Mount as Emulated
Disk and then use FTK imager to image that mounted volume to .raw

JG

On Tue, Aug 16, 2016 at 11:03 AM, Tom Yarrish <tom at yarrish.com> wrote:

> IIRC volatility should be able to handle an E01 file natively now (unless
> that's a *nix only thing).  But another option would be either 1) Arsenal
> Image Mounter (which works much better than FTK, EnCase, etc IMO) or 2) Use
> FTK to covert the E01 image to a RAW image file and then just run that
> through volatility.
>
> Thanks,
> Tom
>
>
> PGP Key ID - B32585D0
>
> On Tue, Aug 16, 2016 at 2:39 PM, Bridgey theGeek <bridgeythegeek at gmail.com
> > wrote:
>
>> Hi all,
>>
>> Because the universe hates me, I've been given an E01 of a RAM dump (from
>> Win7SP1x64) and I have to use Windows to run Volatility.
>>
>> I have p99 of tAoMF in front of me.
>>
>> I tried the "Mount in FTK Imager and point to Z:\unallocated space"
>> thing, but pslist showed only 1 entry which looked very corrupt.
>>
>> I don't have access to EnCase to mount it from there.
>>
>> So I'd like to use libewf. But can I even use it on Windows?? If I
>> compile the library, how do I tell Volatility about the libewf.dll?
>>
>>
>> Basically, how do I use Volatility with libewf on Windows?
>>
>> Thank you,
>> Adam
>>
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users at volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
>>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20160816/122fea58/attachment.html


More information about the Vol-users mailing list