I'm wondering if it might have been a bum acquisition though. If FTK Imager can't mount it properly, I'm not sure it will convert it properly either... How was it acquired?
Still worth a try though. -- Jamie Levy (@gleeda) > On Aug 16, 2016, at 2:41 PM, Andrew Case <[email protected]> wrote: > > I will 3rd using FTK imager to conver to raw. Let us know how that goes. > > Thanks, > Andrew (@attrc) > >> On 08/16/2016 12:54 PM, Jared Greenhill wrote: >> Bridgey, >> >> I haven't been in this EWF situation for memory yet but I'd probably try >> imagecopy first: >> >> vol.exe -f image.e01 --profile=<yourprofile> -O image.raw >> >> If that didn't work, I'd use Tom's #2 and load the .E01 in FTK imager >> and image that mounted volume. >> >> If that didn't work I'd try load the evidence into encase 7.x - right >> click on the evidence --> evidence --> device --> share --> Mount as >> Emulated Disk and then use FTK imager to image that mounted volume to .raw >> >> JG >> >> On Tue, Aug 16, 2016 at 11:03 AM, Tom Yarrish <[email protected] >> <mailto:[email protected]>> wrote: >> >> IIRC volatility should be able to handle an E01 file natively now >> (unless that's a *nix only thing). But another option would be >> either 1) Arsenal Image Mounter (which works much better than FTK, >> EnCase, etc IMO) or 2) Use FTK to covert the E01 image to a RAW >> image file and then just run that through volatility. >> >> Thanks, >> Tom >> >> >> PGP Key ID - B32585D0 >> >> On Tue, Aug 16, 2016 at 2:39 PM, Bridgey theGeek >> <[email protected] <mailto:[email protected]>> wrote: >> >> Hi all, >> >> Because the universe hates me, I've been given an E01 of a RAM >> dump (from Win7SP1x64) and I have to use Windows to run Volatility. >> >> I have p99 of tAoMF in front of me. >> >> I tried the "Mount in FTK Imager and point to Z:\unallocated >> space" thing, but pslist showed only 1 entry which looked very >> corrupt. >> >> I don't have access to EnCase to mount it from there. >> >> So I'd like to use libewf. But can I even use it on Windows?? If >> I compile the library, how do I tell Volatility about the >> libewf.dll? >> >> >> Basically, how do I use Volatility with libewf on Windows? >> >> Thank you, >> Adam >> >> _______________________________________________ >> Vol-users mailing list >> [email protected] <mailto:[email protected]> >> http://lists.volatilesystems.com/mailman/listinfo/vol-users >> <http://lists.volatilesystems.com/mailman/listinfo/vol-users> >> >> >> >> _______________________________________________ >> Vol-users mailing list >> [email protected] <mailto:[email protected]> >> http://lists.volatilesystems.com/mailman/listinfo/vol-users >> <http://lists.volatilesystems.com/mailman/listinfo/vol-users> >> >> >> >> >> >> _______________________________________________ >> Vol-users mailing list >> [email protected] >> http://lists.volatilesystems.com/mailman/listinfo/vol-users > _______________________________________________ > Vol-users mailing list > [email protected] > http://lists.volatilesystems.com/mailman/listinfo/vol-users
_______________________________________________ Vol-users mailing list [email protected] http://lists.volatilesystems.com/mailman/listinfo/vol-users
