[Vol-users] libewf on Windows (I know, I know!)

Jamie Levy jamie at memoryanalysis.net
Tue Aug 16 19:07:49 CDT 2016


I'm wondering if it might have been a bum acquisition though.  If FTK Imager can't mount it properly, I'm not sure it will convert it properly either...  How was it acquired?

Still worth a try though. 

--
Jamie Levy (@gleeda)

> On Aug 16, 2016, at 2:41 PM, Andrew Case <atcuno at gmail.com> wrote:
> 
> I will 3rd using FTK imager to conver to raw. Let us know how that goes.
> 
> Thanks,
> Andrew (@attrc)
> 
>> On 08/16/2016 12:54 PM, Jared Greenhill wrote:
>> Bridgey,
>> 
>> I haven't been in this EWF situation for memory yet but I'd probably try
>> imagecopy first:
>> 
>> vol.exe -f image.e01 --profile=<yourprofile> -O image.raw
>> 
>> If that didn't work, I'd use Tom's #2 and load the .E01 in FTK imager
>> and image that mounted volume.
>> 
>> If that didn't work I'd try load the evidence into encase 7.x - right
>> click on the evidence --> evidence --> device --> share --> Mount as
>> Emulated Disk and then use FTK imager to image that mounted volume to .raw
>> 
>> JG
>> 
>> On Tue, Aug 16, 2016 at 11:03 AM, Tom Yarrish <tom at yarrish.com
>> <mailto:tom at yarrish.com>> wrote:
>> 
>>    IIRC volatility should be able to handle an E01 file natively now
>>    (unless that's a *nix only thing).  But another option would be
>>    either 1) Arsenal Image Mounter (which works much better than FTK,
>>    EnCase, etc IMO) or 2) Use FTK to covert the E01 image to a RAW
>>    image file and then just run that through volatility.
>> 
>>    Thanks,
>>    Tom
>> 
>> 
>>    PGP Key ID - B32585D0
>> 
>>    On Tue, Aug 16, 2016 at 2:39 PM, Bridgey theGeek
>>    <bridgeythegeek at gmail.com <mailto:bridgeythegeek at gmail.com>> wrote:
>> 
>>        Hi all,
>> 
>>        Because the universe hates me, I've been given an E01 of a RAM
>>        dump (from Win7SP1x64) and I have to use Windows to run Volatility.
>> 
>>        I have p99 of tAoMF in front of me.
>> 
>>        I tried the "Mount in FTK Imager and point to Z:\unallocated
>>        space" thing, but pslist showed only 1 entry which looked very
>>        corrupt.
>> 
>>        I don't have access to EnCase to mount it from there.
>> 
>>        So I'd like to use libewf. But can I even use it on Windows?? If
>>        I compile the library, how do I tell Volatility about the
>>        libewf.dll?
>> 
>> 
>>        Basically, how do I use Volatility with libewf on Windows?
>> 
>>        Thank you,
>>        Adam
>> 
>>        _______________________________________________
>>        Vol-users mailing list
>>        Vol-users at volatilityfoundation.org <mailto:Vol-users at volatilityfoundation.org>
>>        http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>        <http://lists.volatilityfoundation.org/mailman/listinfo/vol-users>
>> 
>> 
>> 
>>    _______________________________________________
>>    Vol-users mailing list
>>    Vol-users at volatilityfoundation.org <mailto:Vol-users at volatilityfoundation.org>
>>    http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>    <http://lists.volatilityfoundation.org/mailman/listinfo/vol-users>
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users at volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20160816/ae076ff5/attachment.html


More information about the Vol-users mailing list