libewf on Windows (I know, I know!)
by Bridgey theGeek
Hi all,
Because the universe hates me, I've been given an E01 of a RAM dump (from
Win7SP1x64) and I have to use Windows to run Volatility.
I have p99 of tAoMF in front of me.
I tried the "Mount in FTK Imager and point to Z:\unallocated space" thing,
but pslist showed only 1 entry which looked very corrupt.
I don't have access to EnCase to mount it from there.
So I'd like to use libewf. But can I even use it on Windows?? If I compile
the library, how do I tell Volatility about the libewf.dll?
Basically, how do I use Volatility with libewf on Windows?
Thank you,
Adam
9 years
- 4
- 5
Fwd: [Vol-users] libewf on Windows (I know, I know!)
by Jared Greenhill
Bridgey,
I haven't been in this EWF situation for memory yet but I'd probably try
imagecopy first:
vol.exe -f image.e01 --profile=<yourprofile> -O image.raw
If that didn't work, I'd use Tom's #2 and load the .E01 in FTK imager and
image that mounted volume.
If that didn't work I'd try load the evidence into encase 7.x - right click
on the evidence --> evidence --> device --> share --> Mount as Emulated
Disk and then use FTK imager to image that mounted volume to .raw
JG
On Tue, Aug 16, 2016 at 11:03 AM, Tom Yarrish <tom(a)yarrish.com> wrote:
> IIRC volatility should be able to handle an E01 file natively now (unless
> that's a *nix only thing). But another option would be either 1) Arsenal
> Image Mounter (which works much better than FTK, EnCase, etc IMO) or 2) Use
> FTK to covert the E01 image to a RAW image file and then just run that
> through volatility.
>
> Thanks,
> Tom
>
>
> PGP Key ID - B32585D0
>
> On Tue, Aug 16, 2016 at 2:39 PM, Bridgey theGeek <bridgeythegeek(a)gmail.com
> > wrote:
>
>> Hi all,
>>
>> Because the universe hates me, I've been given an E01 of a RAM dump (from
>> Win7SP1x64) and I have to use Windows to run Volatility.
>>
>> I have p99 of tAoMF in front of me.
>>
>> I tried the "Mount in FTK Imager and point to Z:\unallocated space"
>> thing, but pslist showed only 1 entry which looked very corrupt.
>>
>> I don't have access to EnCase to mount it from there.
>>
>> So I'd like to use libewf. But can I even use it on Windows?? If I
>> compile the library, how do I tell Volatility about the libewf.dll?
>>
>>
>> Basically, how do I use Volatility with libewf on Windows?
>>
>> Thank you,
>> Adam
>>
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users(a)volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
>>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
9 years
- 4
- 3
New Volatility Blog post: Automating Detection of Known Malware through Memory Forensics
by Andrew Case
We just put up a new blog post on automating detecting known malware
with AV and Volatility - feedback encouraged!
http://volatility-labs.blogspot.com/2016/08/automating-detection-of-known-m…
Also, let us know if you will be in Vegas this week and want to meet up.
--
Thanks,
Andrew (@attrc)
9 years
- 1
- 0