Urgh. I just dumped the memory from the same VM using winpmem 1.6.2 and the resulting dump worked absolutely fine in Volatility - processes and everything. Hmmm... I wonder if there's an updated winen64...
On 17 August 2016 at 10:38, Bridgey theGeek <[email protected]> wrote: > Hi all, > > Thanks for the comments! > > So, I assumed that because I wasn't seeing any records in pslist or > psxview that I was accessing the image wrong. > However, I mounted via FTK and then took an MD5 of Z:\unallocated space > and compared with the MD5 of the raw image made by converting the E01 using > FTK Imager: the MD5s were the same. > > The imageinfo and kdbgscan plugins do return sensible data. > > The image was made on Win7SP1x64 using winen64.exe from EnCase7. > > Interestingly, I've just tried taking an image of a Win7SP1x64 VMware VM > using winen64.exe and I get exactly the same issue. > Hmm... will do some more testing and report back. > > Thanks again, > Adam > > > On 17 August 2016 at 01:51, Jamie Levy <[email protected]> wrote: > >> Well, we *do* have the address space for it, but it relies on the ewf >> library. I don't remember off the top of my head all the details of >> installing it properly on Windows. I remember some sort of pain though. >> >> -- >> Jamie Levy (@gleeda) >> >> On Aug 16, 2016, at 11:03 AM, Tom Yarrish <[email protected]> wrote: >> >> IIRC volatility should be able to handle an E01 file natively now (unless >> that's a *nix only thing). But another option would be either 1) Arsenal >> Image Mounter (which works much better than FTK, EnCase, etc IMO) or 2) Use >> FTK to covert the E01 image to a RAW image file and then just run that >> through volatility. >> >> Thanks, >> Tom >> >> >> PGP Key ID - B32585D0 >> >> On Tue, Aug 16, 2016 at 2:39 PM, Bridgey theGeek < >> [email protected]> wrote: >> >>> Hi all, >>> >>> Because the universe hates me, I've been given an E01 of a RAM dump >>> (from Win7SP1x64) and I have to use Windows to run Volatility. >>> >>> I have p99 of tAoMF in front of me. >>> >>> I tried the "Mount in FTK Imager and point to Z:\unallocated space" >>> thing, but pslist showed only 1 entry which looked very corrupt. >>> >>> I don't have access to EnCase to mount it from there. >>> >>> So I'd like to use libewf. But can I even use it on Windows?? If I >>> compile the library, how do I tell Volatility about the libewf.dll? >>> >>> >>> Basically, how do I use Volatility with libewf on Windows? >>> >>> Thank you, >>> Adam >>> >>> _______________________________________________ >>> Vol-users mailing list >>> [email protected] >>> http://lists.volatilesystems.com/mailman/listinfo/vol-users >>> >>> >> _______________________________________________ >> Vol-users mailing list >> [email protected] >> http://lists.volatilesystems.com/mailman/listinfo/vol-users >> >> >
_______________________________________________ Vol-users mailing list [email protected] http://lists.volatilesystems.com/mailman/listinfo/vol-users
