[Vol-users] libewf on Windows (I know, I know!)

Bridgey theGeek bridgeythegeek at gmail.com
Wed Aug 17 04:48:57 CDT 2016


Urgh. I just dumped the memory from the same VM using winpmem 1.6.2 and the
resulting dump worked absolutely fine in Volatility - processes and
everything.
Hmmm... I wonder if there's an updated winen64...

On 17 August 2016 at 10:38, Bridgey theGeek <bridgeythegeek at gmail.com>
wrote:

> Hi all,
>
> Thanks for the comments!
>
> So, I assumed that because I wasn't seeing any records in pslist or
> psxview that I was accessing the image wrong.
> However, I mounted via FTK and then took an MD5 of Z:\unallocated space
> and compared with the MD5 of the raw image made by converting the E01 using
> FTK Imager: the MD5s were the same.
>
> The imageinfo and kdbgscan plugins do return sensible data.
>
> The image was made on Win7SP1x64 using winen64.exe from EnCase7.
>
> Interestingly, I've just tried taking an image of a Win7SP1x64 VMware VM
> using winen64.exe and I get exactly the same issue.
> Hmm... will do some more testing and report back.
>
> Thanks again,
> Adam
>
>
> On 17 August 2016 at 01:51, Jamie Levy <jamie at memoryanalysis.net> wrote:
>
>> Well, we *do* have the address space for it, but it relies on the ewf
>> library. I don't remember off the top of my head all the details of
>> installing it properly on Windows.  I remember some sort of pain though.
>>
>> --
>> Jamie Levy (@gleeda)
>>
>> On Aug 16, 2016, at 11:03 AM, Tom Yarrish <tom at yarrish.com> wrote:
>>
>> IIRC volatility should be able to handle an E01 file natively now (unless
>> that's a *nix only thing).  But another option would be either 1) Arsenal
>> Image Mounter (which works much better than FTK, EnCase, etc IMO) or 2) Use
>> FTK to covert the E01 image to a RAW image file and then just run that
>> through volatility.
>>
>> Thanks,
>> Tom
>>
>>
>> PGP Key ID - B32585D0
>>
>> On Tue, Aug 16, 2016 at 2:39 PM, Bridgey theGeek <
>> bridgeythegeek at gmail.com> wrote:
>>
>>> Hi all,
>>>
>>> Because the universe hates me, I've been given an E01 of a RAM dump
>>> (from Win7SP1x64) and I have to use Windows to run Volatility.
>>>
>>> I have p99 of tAoMF in front of me.
>>>
>>> I tried the "Mount in FTK Imager and point to Z:\unallocated space"
>>> thing, but pslist showed only 1 entry which looked very corrupt.
>>>
>>> I don't have access to EnCase to mount it from there.
>>>
>>> So I'd like to use libewf. But can I even use it on Windows?? If I
>>> compile the library, how do I tell Volatility about the libewf.dll?
>>>
>>>
>>> Basically, how do I use Volatility with libewf on Windows?
>>>
>>> Thank you,
>>> Adam
>>>
>>> _______________________________________________
>>> Vol-users mailing list
>>> Vol-users at volatilityfoundation.org
>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>
>>>
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users at volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20160817/20e11bcf/attachment.html


More information about the Vol-users mailing list