If you can get the evidence file into EnCase you can also export the unallocated space as a file that can then be processed
Sent from my iPhone > On Aug 16, 2016, at 12:54, Jared Greenhill <[email protected]> wrote: > > Bridgey, > > I haven't been in this EWF situation for memory yet but I'd probably try > imagecopy first: > > vol.exe -f image.e01 --profile=<yourprofile> -O image.raw > > If that didn't work, I'd use Tom's #2 and load the .E01 in FTK imager and > image that mounted volume. > > If that didn't work I'd try load the evidence into encase 7.x - right click > on the evidence --> evidence --> device --> share --> Mount as Emulated Disk > and then use FTK imager to image that mounted volume to .raw > > JG > >> On Tue, Aug 16, 2016 at 11:03 AM, Tom Yarrish <[email protected]> wrote: >> IIRC volatility should be able to handle an E01 file natively now (unless >> that's a *nix only thing). But another option would be either 1) Arsenal >> Image Mounter (which works much better than FTK, EnCase, etc IMO) or 2) Use >> FTK to covert the E01 image to a RAW image file and then just run that >> through volatility. >> >> Thanks, >> Tom >> >> >> PGP Key ID - B32585D0 >> >>> On Tue, Aug 16, 2016 at 2:39 PM, Bridgey theGeek <[email protected]> >>> wrote: >>> Hi all, >>> >>> Because the universe hates me, I've been given an E01 of a RAM dump (from >>> Win7SP1x64) and I have to use Windows to run Volatility. >>> >>> I have p99 of tAoMF in front of me. >>> >>> I tried the "Mount in FTK Imager and point to Z:\unallocated space" thing, >>> but pslist showed only 1 entry which looked very corrupt. >>> >>> I don't have access to EnCase to mount it from there. >>> >>> So I'd like to use libewf. But can I even use it on Windows?? If I compile >>> the library, how do I tell Volatility about the libewf.dll? >>> >>> >>> Basically, how do I use Volatility with libewf on Windows? >>> >>> Thank you, >>> Adam >>> >>> _______________________________________________ >>> Vol-users mailing list >>> [email protected] >>> http://lists.volatilesystems.com/mailman/listinfo/vol-users >> >> >> _______________________________________________ >> Vol-users mailing list >> [email protected] >> http://lists.volatilesystems.com/mailman/listinfo/vol-users > > > _______________________________________________ > Vol-users mailing list > [email protected] > http://lists.volatilesystems.com/mailman/listinfo/vol-users
_______________________________________________ Vol-users mailing list [email protected] http://lists.volatilesystems.com/mailman/listinfo/vol-users
