I've run into that problem more than enough times (corrupt acquisition)... Having once worked for encase...
They are aware of the problem in winen but have yet to prioritize a fix. The problem exists for encase enterprise and encase forensic direct servlet memory acquisitions as well. It will get a good image sometimes, but it's not reliable. Side note: I have had vol work against an e01, but not if it has been compressed. James On Aug 17, 2016, at 05:49, Bridgey theGeek <[email protected]<mailto:[email protected]>> wrote: Urgh. I just dumped the memory from the same VM using winpmem 1.6.2 and the resulting dump worked absolutely fine in Volatility - processes and everything. Hmmm... I wonder if there's an updated winen64... On 17 August 2016 at 10:38, Bridgey theGeek <[email protected]<mailto:[email protected]>> wrote: Hi all, Thanks for the comments! So, I assumed that because I wasn't seeing any records in pslist or psxview that I was accessing the image wrong. However, I mounted via FTK and then took an MD5 of Z:\unallocated space and compared with the MD5 of the raw image made by converting the E01 using FTK Imager: the MD5s were the same. The imageinfo and kdbgscan plugins do return sensible data. The image was made on Win7SP1x64 using winen64.exe from EnCase7. Interestingly, I've just tried taking an image of a Win7SP1x64 VMware VM using winen64.exe and I get exactly the same issue. Hmm... will do some more testing and report back. Thanks again, Adam On 17 August 2016 at 01:51, Jamie Levy <[email protected]<mailto:[email protected]>> wrote: Well, we *do* have the address space for it, but it relies on the ewf library. I don't remember off the top of my head all the details of installing it properly on Windows. I remember some sort of pain though. -- Jamie Levy (@gleeda) On Aug 16, 2016, at 11:03 AM, Tom Yarrish <[email protected]<mailto:[email protected]>> wrote: IIRC volatility should be able to handle an E01 file natively now (unless that's a *nix only thing). But another option would be either 1) Arsenal Image Mounter (which works much better than FTK, EnCase, etc IMO) or 2) Use FTK to covert the E01 image to a RAW image file and then just run that through volatility. Thanks, Tom PGP Key ID - B32585D0 On Tue, Aug 16, 2016 at 2:39 PM, Bridgey theGeek <[email protected]<mailto:[email protected]>> wrote: Hi all, Because the universe hates me, I've been given an E01 of a RAM dump (from Win7SP1x64) and I have to use Windows to run Volatility. I have p99 of tAoMF in front of me. I tried the "Mount in FTK Imager and point to Z:\unallocated space" thing, but pslist showed only 1 entry which looked very corrupt. I don't have access to EnCase to mount it from there. So I'd like to use libewf. But can I even use it on Windows?? If I compile the library, how do I tell Volatility about the libewf.dll? Basically, how do I use Volatility with libewf on Windows? Thank you, Adam _______________________________________________ Vol-users mailing list [email protected]<mailto:[email protected]> http://lists.volatilesystems.com/mailman/listinfo/vol-users _______________________________________________ Vol-users mailing list [email protected]<mailto:[email protected]> http://lists.volatilesystems.com/mailman/listinfo/vol-users _______________________________________________ Vol-users mailing list [email protected]<mailto:[email protected]> http://lists.volatilesystems.com/mailman/listinfo/vol-users
_______________________________________________ Vol-users mailing list [email protected] http://lists.volatilesystems.com/mailman/listinfo/vol-users
