I will 3rd using FTK imager to conver to raw. Let us know how that goes. Thanks, Andrew (@attrc)
On 08/16/2016 12:54 PM, Jared Greenhill wrote: > Bridgey, > > I haven't been in this EWF situation for memory yet but I'd probably try > imagecopy first: > > vol.exe -f image.e01 --profile=<yourprofile> -O image.raw > > If that didn't work, I'd use Tom's #2 and load the .E01 in FTK imager > and image that mounted volume. > > If that didn't work I'd try load the evidence into encase 7.x - right > click on the evidence --> evidence --> device --> share --> Mount as > Emulated Disk and then use FTK imager to image that mounted volume to .raw > > JG > > On Tue, Aug 16, 2016 at 11:03 AM, Tom Yarrish <[email protected] > <mailto:[email protected]>> wrote: > > IIRC volatility should be able to handle an E01 file natively now > (unless that's a *nix only thing). But another option would be > either 1) Arsenal Image Mounter (which works much better than FTK, > EnCase, etc IMO) or 2) Use FTK to covert the E01 image to a RAW > image file and then just run that through volatility. > > Thanks, > Tom > > > PGP Key ID - B32585D0 > > On Tue, Aug 16, 2016 at 2:39 PM, Bridgey theGeek > <[email protected] <mailto:[email protected]>> wrote: > > Hi all, > > Because the universe hates me, I've been given an E01 of a RAM > dump (from Win7SP1x64) and I have to use Windows to run Volatility. > > I have p99 of tAoMF in front of me. > > I tried the "Mount in FTK Imager and point to Z:\unallocated > space" thing, but pslist showed only 1 entry which looked very > corrupt. > > I don't have access to EnCase to mount it from there. > > So I'd like to use libewf. But can I even use it on Windows?? If > I compile the library, how do I tell Volatility about the > libewf.dll? > > > Basically, how do I use Volatility with libewf on Windows? > > Thank you, > Adam > > _______________________________________________ > Vol-users mailing list > [email protected] <mailto:[email protected]> > http://lists.volatilesystems.com/mailman/listinfo/vol-users > <http://lists.volatilesystems.com/mailman/listinfo/vol-users> > > > > _______________________________________________ > Vol-users mailing list > [email protected] <mailto:[email protected]> > http://lists.volatilesystems.com/mailman/listinfo/vol-users > <http://lists.volatilesystems.com/mailman/listinfo/vol-users> > > > > > > _______________________________________________ > Vol-users mailing list > [email protected] > http://lists.volatilesystems.com/mailman/listinfo/vol-users > _______________________________________________ Vol-users mailing list [email protected] http://lists.volatilesystems.com/mailman/listinfo/vol-users
