[Vol-users] libewf on Windows (I know, I know!)

Bridgey theGeek bridgeythegeek at gmail.com
Wed Aug 17 04:38:10 CDT 2016


Hi all,

Thanks for the comments!

So, I assumed that because I wasn't seeing any records in pslist or psxview
that I was accessing the image wrong.
However, I mounted via FTK and then took an MD5 of Z:\unallocated space and
compared with the MD5 of the raw image made by converting the E01 using FTK
Imager: the MD5s were the same.

The imageinfo and kdbgscan plugins do return sensible data.

The image was made on Win7SP1x64 using winen64.exe from EnCase7.

Interestingly, I've just tried taking an image of a Win7SP1x64 VMware VM
using winen64.exe and I get exactly the same issue.
Hmm... will do some more testing and report back.

Thanks again,
Adam


On 17 August 2016 at 01:51, Jamie Levy <jamie at memoryanalysis.net> wrote:

> Well, we *do* have the address space for it, but it relies on the ewf
> library. I don't remember off the top of my head all the details of
> installing it properly on Windows.  I remember some sort of pain though.
>
> --
> Jamie Levy (@gleeda)
>
> On Aug 16, 2016, at 11:03 AM, Tom Yarrish <tom at yarrish.com> wrote:
>
> IIRC volatility should be able to handle an E01 file natively now (unless
> that's a *nix only thing).  But another option would be either 1) Arsenal
> Image Mounter (which works much better than FTK, EnCase, etc IMO) or 2) Use
> FTK to covert the E01 image to a RAW image file and then just run that
> through volatility.
>
> Thanks,
> Tom
>
>
> PGP Key ID - B32585D0
>
> On Tue, Aug 16, 2016 at 2:39 PM, Bridgey theGeek <bridgeythegeek at gmail.com
> > wrote:
>
>> Hi all,
>>
>> Because the universe hates me, I've been given an E01 of a RAM dump (from
>> Win7SP1x64) and I have to use Windows to run Volatility.
>>
>> I have p99 of tAoMF in front of me.
>>
>> I tried the "Mount in FTK Imager and point to Z:\unallocated space"
>> thing, but pslist showed only 1 entry which looked very corrupt.
>>
>> I don't have access to EnCase to mount it from there.
>>
>> So I'd like to use libewf. But can I even use it on Windows?? If I
>> compile the library, how do I tell Volatility about the libewf.dll?
>>
>>
>> Basically, how do I use Volatility with libewf on Windows?
>>
>> Thank you,
>> Adam
>>
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users at volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
>>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20160817/d1973520/attachment.html


More information about the Vol-users mailing list