[Vol-users] libewf on Windows (I know, I know!)

Ronald Weiss rwuiuc at gmail.com
Tue Aug 16 13:15:45 CDT 2016


If you can get the evidence file into EnCase you can also export the unallocated space as a file that can then be processed

Sent from my iPhone

> On Aug 16, 2016, at 12:54, Jared Greenhill <jared703 at gmail.com> wrote:
> 
> Bridgey,
> 
> I haven't been in this EWF situation for memory yet but I'd probably try imagecopy first:
> 
> vol.exe -f image.e01 --profile=<yourprofile> -O image.raw
> 
> If that didn't work, I'd use Tom's #2 and load the .E01 in FTK imager and image that mounted volume.
> 
> If that didn't work I'd try load the evidence into encase 7.x - right click on the evidence --> evidence --> device --> share --> Mount as Emulated Disk and then use FTK imager to image that mounted volume to .raw
> 
> JG
> 
>> On Tue, Aug 16, 2016 at 11:03 AM, Tom Yarrish <tom at yarrish.com> wrote:
>> IIRC volatility should be able to handle an E01 file natively now (unless that's a *nix only thing).  But another option would be either 1) Arsenal Image Mounter (which works much better than FTK, EnCase, etc IMO) or 2) Use FTK to covert the E01 image to a RAW image file and then just run that through volatility.
>> 
>> Thanks,
>> Tom
>> 
>> 
>> PGP Key ID - B32585D0
>> 
>>> On Tue, Aug 16, 2016 at 2:39 PM, Bridgey theGeek <bridgeythegeek at gmail.com> wrote:
>>> Hi all,
>>> 
>>> Because the universe hates me, I've been given an E01 of a RAM dump (from Win7SP1x64) and I have to use Windows to run Volatility.
>>> 
>>> I have p99 of tAoMF in front of me.
>>> 
>>> I tried the "Mount in FTK Imager and point to Z:\unallocated space" thing, but pslist showed only 1 entry which looked very corrupt.
>>> 
>>> I don't have access to EnCase to mount it from there.
>>> 
>>> So I'd like to use libewf. But can I even use it on Windows?? If I compile the library, how do I tell Volatility about the libewf.dll?
>>> 
>>> 
>>> Basically, how do I use Volatility with libewf on Windows?
>>> 
>>> Thank you,
>>> Adam
>>> 
>>> _______________________________________________
>>> Vol-users mailing list
>>> Vol-users at volatilityfoundation.org
>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>> 
>> 
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users at volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> 
> 
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20160816/f9d6b12b/attachment-0001.html


More information about the Vol-users mailing list