Fwd: [Vol-users] libewf on Windows (I know, I know!)

Andrew Case atcuno at gmail.com
Tue Aug 16 13:41:04 CDT 2016


I will 3rd using FTK imager to conver to raw. Let us know how that goes.

Thanks,
Andrew (@attrc)

On 08/16/2016 12:54 PM, Jared Greenhill wrote:
> Bridgey,
> 
> I haven't been in this EWF situation for memory yet but I'd probably try
> imagecopy first:
> 
> vol.exe -f image.e01 --profile=<yourprofile> -O image.raw
> 
> If that didn't work, I'd use Tom's #2 and load the .E01 in FTK imager
> and image that mounted volume.
> 
> If that didn't work I'd try load the evidence into encase 7.x - right
> click on the evidence --> evidence --> device --> share --> Mount as
> Emulated Disk and then use FTK imager to image that mounted volume to .raw
> 
> JG
> 
> On Tue, Aug 16, 2016 at 11:03 AM, Tom Yarrish <tom at yarrish.com
> <mailto:tom at yarrish.com>> wrote:
> 
>     IIRC volatility should be able to handle an E01 file natively now
>     (unless that's a *nix only thing).  But another option would be
>     either 1) Arsenal Image Mounter (which works much better than FTK,
>     EnCase, etc IMO) or 2) Use FTK to covert the E01 image to a RAW
>     image file and then just run that through volatility.
> 
>     Thanks,
>     Tom
> 
> 
>     PGP Key ID - B32585D0
> 
>     On Tue, Aug 16, 2016 at 2:39 PM, Bridgey theGeek
>     <bridgeythegeek at gmail.com <mailto:bridgeythegeek at gmail.com>> wrote:
> 
>         Hi all,
> 
>         Because the universe hates me, I've been given an E01 of a RAM
>         dump (from Win7SP1x64) and I have to use Windows to run Volatility.
> 
>         I have p99 of tAoMF in front of me.
> 
>         I tried the "Mount in FTK Imager and point to Z:\unallocated
>         space" thing, but pslist showed only 1 entry which looked very
>         corrupt.
> 
>         I don't have access to EnCase to mount it from there.
> 
>         So I'd like to use libewf. But can I even use it on Windows?? If
>         I compile the library, how do I tell Volatility about the
>         libewf.dll?
> 
> 
>         Basically, how do I use Volatility with libewf on Windows?
> 
>         Thank you,
>         Adam
> 
>         _______________________________________________
>         Vol-users mailing list
>         Vol-users at volatilityfoundation.org <mailto:Vol-users at volatilityfoundation.org>
>         http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>         <http://lists.volatilityfoundation.org/mailman/listinfo/vol-users>
> 
> 
> 
>     _______________________________________________
>     Vol-users mailing list
>     Vol-users at volatilityfoundation.org <mailto:Vol-users at volatilityfoundation.org>
>     http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>     <http://lists.volatilityfoundation.org/mailman/listinfo/vol-users>
> 
> 
> 
> 
> 
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> 


More information about the Vol-users mailing list