Re: [Vol-users] libewf on Windows (I know, I know!)
16 Aug
2016
16 Aug
'16
8:51 p.m.
Well, we *do* have the address space for it, but it relies on the ewf library. I don't
remember off the top of my head all the details of installing it properly on Windows. I
remember some sort of pain though.
--
Jamie Levy (@gleeda)
On Aug 16, 2016, at 11:03 AM, Tom Yarrish
<tom(a)yarrish.com> wrote:
IIRC volatility should be able to handle an E01 file natively now (unless that's a
*nix only thing). But another option would be either 1) Arsenal Image Mounter (which
works much better than FTK, EnCase, etc IMO) or 2) Use FTK to covert the E01 image to a
RAW image file and then just run that through volatility.
Thanks,
Tom
PGP Key ID - B32585D0
On Tue, Aug 16, 2016 at 2:39 PM, Bridgey theGeek
<bridgeythegeek(a)gmail.com> wrote:
Hi all,
Because the universe hates me, I've been given an E01 of a RAM dump (from Win7SP1x64)
and I have to use Windows to run Volatility.
I have p99 of tAoMF in front of me.
I tried the "Mount in FTK Imager and point to Z:\unallocated space" thing, but
pslist showed only 1 entry which looked very corrupt.
I don't have access to EnCase to mount it from there.
So I'd like to use libewf. But can I even use it on Windows?? If I compile the
library, how do I tell Volatility about the libewf.dll?
Basically, how do I use Volatility with libewf on Windows?
Thank you,
Adam
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users Attachments:
- attachment.html (text/html — 3.4 KB)