woogers / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

Support for EWF/E01 files #472

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
I'm unable to get volatility 2.3.1 (3580) to correctly operate on an Encase 
memory dump under cygwin, on Win7 x64, unless I first extract it to a dd-style 
flat image. I have libewf installed, and even ensured that the python bindings 
were installed. I don't have fuse support, however. Is that required?

$ vol.py --plugins=contrib/plugins -f *E01 imageinfo
Volatility Foundation Volatility Framework 2.3.1
Determining profile based on KDBG search...

          Suggested Profile(s) : No suggestion (Instantiated with no profile)
                     AS Layer1 : FileAddressSpace (/cygdrive/f/x.E01)
                      PAE type : No PAE

Original issue reported on code.google.com by johnmcca...@gmail.com on 14 Jan 2014 at 5:05

GoogleCodeExporter commented 8 years ago
I found part of the problem. Apparently the --plugins= argument wants a fully 
qualified path, but it still doesn't work:

$ vola --plugins=/cygdrive/d/volatility-read-only/contrib/plugins -f *E01 
imageinfo
Volatility Foundation Volatility Framework 2.3.1
*** Failed to import volatility.plugins.malware.zeusscan (ImportError: No 
module named zeusscan)
*** Failed to import volatility.plugins.malware.poisonivy (ImportError: No 
module named poisonivy)
Determining profile based on KDBG search...

          Suggested Profile(s) : No suggestion (Instantiated with no profile)
                     AS Layer1 : FileAddressSpace (/cygdrive/f/x.E01)
                      PAE type : No PAE

Original comment by johnmcca...@gmail.com on 14 Jan 2014 at 5:18

GoogleCodeExporter commented 8 years ago
how did you install libewf?  Can you try to copy contrib/plugins/aspaces/ewf.py 
into volatility/plugins/addrspaces/ and use without the --plugins= option?  
otherwise if you already have encase, you can just mount the memory sample as 
described in [1].

[1] 
http://volatility-labs.blogspot.com/2013/10/sampling-ram-across-encase-enterpris
e.html

Original comment by jamie.l...@gmail.com on 14 Jan 2014 at 9:20

GoogleCodeExporter commented 8 years ago
Jamie,
As to libewf installation, I just typed:

./configure --enable-python
make
make install

All the binaries appear to be in place, and, for example, ewfinfo gives correct 
results for my test image.

I tried copying ewf.py over to the specified folder and running it without 
--plugins, but I get essentially the same results

I'm able to dump out the memory image to a dd-style image with Encase and 
analyze it that way just fine.

What specific pieces of libewf is Volatility trying to use? Do you know if it 
needs fuse? That particular piece isn't supported under cygwin.
Thanks

Original comment by johnmcca...@gmail.com on 15 Jan 2014 at 3:21

GoogleCodeExporter commented 8 years ago
Thanks for the info.  Which version of libewf did you download?  I need to see 
if I can duplicate the problem and I think there are some versions that might 
give problems, IIRC.

Yeah, the dd-style memory sample should work fine.  I was trying to save you 
the trouble by showing that you could just mount it through EnCase instead.

Original comment by jamie.l...@gmail.com on 15 Jan 2014 at 3:30

GoogleCodeExporter commented 8 years ago
I downloaded the libewf source from 
https://googledrive.com/host/0B3fBvzttpiiSMTdoaVExWWNsRjg/libewf-20131230.tar.gz

That's the most recent non-experimental link from the page referenced by the 
downloads link on http://code.google.com/p/libewf/

Original comment by johnmcca...@gmail.com on 15 Jan 2014 at 7:58

GoogleCodeExporter commented 8 years ago
out of curiosity, were these files compressed also?

Original comment by jamie.l...@gmail.com on 7 Mar 2014 at 4:47

GoogleCodeExporter commented 8 years ago

Original comment by jamie.l...@gmail.com on 7 Mar 2014 at 4:48

GoogleCodeExporter commented 8 years ago
Issue 480 has been merged into this issue.

Original comment by jamie.l...@gmail.com on 7 Mar 2014 at 4:48

GoogleCodeExporter commented 8 years ago
I think they were. Unfortunately, I've moved on to a new position, and no
longer have the specific samples I was testing with.

Original comment by johnmcca...@gmail.com on 10 Mar 2014 at 7:20

GoogleCodeExporter commented 8 years ago
No worries.  Thanks for letting us know.  If it's really an issue with 
compression, we can create files for testing and see if those fail as well.

Original comment by jamie.l...@gmail.com on 10 Mar 2014 at 7:26

GoogleCodeExporter commented 8 years ago
I ran into this issue today using Ubuntu 12.04 and libewf-20140427. I was able 
to fix it by recompiling libewf with the "--enable-v1-api" configure flag. 
Running volatility 2.3.1 was successful against a compressed E01.  

Original comment by thr...@gmail.com on 28 Apr 2014 at 5:17

GoogleCodeExporter commented 8 years ago

Original comment by jamie.l...@gmail.com on 20 Nov 2014 at 8:27