BitLocker experience

Success!!

Thanks to jaclaz for the lead and Mark Spencer @ Arsenal for the pointer to the updated dlls

To sum up, the aim of being able to mount a split E01 image of a Win 7 Enterprise SP1 physical disk protected by BitLocker was achieved

Thank you very much guys )

Peter

Success!!

Thanks to jaclaz for the lead and Mark Spencer @ Arsenal for the pointer to the updated dlls

To sum up, the aim of being able to mount a split E01 image of a Win 7 Enterprise SP1 physical disk protected by BitLocker was achieved

Thank you very much guys )

Peter

Good. )
Care to be more explicit in what is needed (and that you used successfully after your initial failure)?

jaclaz

Sure thing jaclaz

Initial failure was caused by me somehow getting hold of incorrect versions of the 64-bit dlls for my system which is Win7 Enterprie SP1 64-bit

The correct dlls can be found at
https://github.com/ArsenalRecon/Arsenal-Image-Mounter/blob/master/MountTool/msvcr100.dll
https://github.com/ArsenalRecon/Arsenal-Image-Mounter/blob/master/MountTool/libewf.dll
https://github.com/ArsenalRecon/Arsenal-Image-Mounter/blob/master/MountTool/zlib.dll

Again, seems to work like a charm )

Ah, I see.
YAVODH (Yet Another Victim Of Dll Hell) 😯

jaclaz

Ah, I see.
YAVODH (Yet Another Victim Of Dll Hell) 😯

jaclaz

We are working on a user-focused (as opposed to developer focused) version of Arsenal Image Mounter now. It would have been done months ago but we've been buried in casework that takes priority. We know from the volume of emails about our sample application that the project has become very popular… so expect a greatly simplified Arsenal Image Mounter soon! If anyone is interested in aggressively testing pre-releases or incorporating the project in other open source DFIR projects let me (mspencer@ArsenalExperts.com) know.

Thanks,

Mark Spencer, President
Arsenal Consulting, Inc.
www.ArsenalExperts.com

We are working on a user-focused (as opposed to developer focused) version of Arsenal Image Mounter now.

Good news ) , though - should you have missed it - we are ahead of you 😯 .
http//reboot.pro/files/file/374-imgmount/
(though this particular GUI has not - yet - a provision for EWF).

jaclaz

For a small tool i wrote, i used OSFmount to mount a .e01 evidencefile.

As no-one has mentioned it yet - xmount can apparently do on-the-fly conversion of e01 to VHD. I haven't tried that specific option, but can attest that the on-the-fly e01 to DD works fine.

It requires you to use Linux or OSX though.

For a small tool i wrote, i used OSFmount to mount a .e01 evidencefile.

Not really-really. 😯
AFAIK the OFSmount is derived from IMDISK, and as such it doesn't really mount the .e01, but rather a volume in it (which may make no difference for your tool or more generically for most forensics purposes) but OFSmount would allow you to access the \\.\LogicalDrive, whilst the Arsenal Image Mounter will mount the \\.\PhysicalDrive.

JFYI, there is also a way through the use of a devio proxy that allow IMDISK to do the same making use of Joachimn Metz excellent libyall libewf.dll (i.e. avoiding discutils and .Net)
http//reboot.pro/topic/20467-use-libyal-libraries-with-devio-and-imdisk/

@Chris_Ed
Yep ), but that "on-the-fly conversion" is as well not a real "conversion", it is rather an "interpretation" as the above, i.e. the original file is never changed, it is rather "accessed as if it was" another format.
The xmount will allow mounting/accessing the "whole thing" like Arsenal Image Mounter.

jaclaz

We are working on a user-focused (as opposed to developer focused) version of Arsenal Image Mounter now.

Good news ) , though - should you have missed it - we are ahead of you 😯 .
http//reboot.pro/files/file/374-imgmount/
(though this particular GUI has not - yet - a provision for EWF).

jaclaz

I did miss it, so thanks for the heads up. I'm happy to see an open-source project making use of our driver. Choice is good!