Bridgey, I haven't been in this EWF situation for memory yet but I'd probably try imagecopy first:
vol.exe -f image.e01 --profile=<yourprofile> -O image.raw If that didn't work, I'd use Tom's #2 and load the .E01 in FTK imager and image that mounted volume. If that didn't work I'd try load the evidence into encase 7.x - right click on the evidence --> evidence --> device --> share --> Mount as Emulated Disk and then use FTK imager to image that mounted volume to .raw JG On Tue, Aug 16, 2016 at 11:03 AM, Tom Yarrish <[email protected]> wrote: > IIRC volatility should be able to handle an E01 file natively now (unless > that's a *nix only thing). But another option would be either 1) Arsenal > Image Mounter (which works much better than FTK, EnCase, etc IMO) or 2) Use > FTK to covert the E01 image to a RAW image file and then just run that > through volatility. > > Thanks, > Tom > > > PGP Key ID - B32585D0 > > On Tue, Aug 16, 2016 at 2:39 PM, Bridgey theGeek <[email protected] > > wrote: > >> Hi all, >> >> Because the universe hates me, I've been given an E01 of a RAM dump (from >> Win7SP1x64) and I have to use Windows to run Volatility. >> >> I have p99 of tAoMF in front of me. >> >> I tried the "Mount in FTK Imager and point to Z:\unallocated space" >> thing, but pslist showed only 1 entry which looked very corrupt. >> >> I don't have access to EnCase to mount it from there. >> >> So I'd like to use libewf. But can I even use it on Windows?? If I >> compile the library, how do I tell Volatility about the libewf.dll? >> >> >> Basically, how do I use Volatility with libewf on Windows? >> >> Thank you, >> Adam >> >> _______________________________________________ >> Vol-users mailing list >> [email protected] >> http://lists.volatilesystems.com/mailman/listinfo/vol-users >> >> > > _______________________________________________ > Vol-users mailing list > [email protected] > http://lists.volatilesystems.com/mailman/listinfo/vol-users > >
_______________________________________________ Vol-users mailing list [email protected] http://lists.volatilesystems.com/mailman/listinfo/vol-users
