I'm wondering if it might have been a bum acquisition though.  If FTK Imager can't mount it properly, I'm not sure it will convert it properly either...  How was it acquired?

Still worth a try though. 

--
Jamie Levy (@gleeda)

On Aug 16, 2016, at 2:41 PM, Andrew Case <atcuno@gmail.com> wrote:

I will 3rd using FTK imager to conver to raw. Let us know how that goes.

Thanks,
Andrew (@attrc)

On 08/16/2016 12:54 PM, Jared Greenhill wrote:
Bridgey,

I haven't been in this EWF situation for memory yet but I'd probably try
imagecopy first:

vol.exe -f image.e01 --profile=<yourprofile> -O image.raw

If that didn't work, I'd use Tom's #2 and load the .E01 in FTK imager
and image that mounted volume.

If that didn't work I'd try load the evidence into encase 7.x - right
click on the evidence --> evidence --> device --> share --> Mount as
Emulated Disk and then use FTK imager to image that mounted volume to .raw

JG

On Tue, Aug 16, 2016 at 11:03 AM, Tom Yarrish <tom@yarrish.com
<mailto:tom@yarrish.com>> wrote:

   IIRC volatility should be able to handle an E01 file natively now
   (unless that's a *nix only thing).  But another option would be
   either 1) Arsenal Image Mounter (which works much better than FTK,
   EnCase, etc IMO) or 2) Use FTK to covert the E01 image to a RAW
   image file and then just run that through volatility.

   Thanks,
   Tom


   PGP Key ID - B32585D0

   On Tue, Aug 16, 2016 at 2:39 PM, Bridgey theGeek
   <bridgeythegeek@gmail.com <mailto:bridgeythegeek@gmail.com>> wrote:

       Hi all,

       Because the universe hates me, I've been given an E01 of a RAM
       dump (from Win7SP1x64) and I have to use Windows to run Volatility.

       I have p99 of tAoMF in front of me.

       I tried the "Mount in FTK Imager and point to Z:\unallocated
       space" thing, but pslist showed only 1 entry which looked very
       corrupt.

       I don't have access to EnCase to mount it from there.

       So I'd like to use libewf. But can I even use it on Windows?? If
       I compile the library, how do I tell Volatility about the
       libewf.dll?


       Basically, how do I use Volatility with libewf on Windows?

       Thank you,
       Adam

       _______________________________________________
       Vol-users mailing list
       Vol-users@volatilityfoundation.org <mailto:Vol-users@volatilityfoundation.org>
       http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
       <http://lists.volatilityfoundation.org/mailman/listinfo/vol-users>



   _______________________________________________
   Vol-users mailing list
   Vol-users@volatilityfoundation.org <mailto:Vol-users@volatilesystems.com>
   http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
   <http://lists.volatilityfoundation.org/mailman/listinfo/vol-users>





_______________________________________________
Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

_______________________________________________
Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users