Hi all,
I'm running Win 7 64, SP1, on a Dell M6500 laptop. I'm using FTK Imager v3.0.0.1443 to mount an EnCase E01 file (I've also used the latest version as well with the same problem). The program goes through the process of mounting the physical and logical (as I requested) and the device appears in Explorer. However, when I try to access the device with Explorer it gives me an 'access denied' message. The physical disk is also not available for programs like LiveView etc.
When I come to dismount the mounted device and then click on the x to close FTK I get a lovely BSoD everytime. I'm starting to think it may be something Windows 7 based as I got this problem with a totally different Win 7 pc using a different E01 file many months ago. At least then the physical and logical were available once they were mounted, I just accepted that I would get a BSoD once I had finished using LiveView!
I don't get a problem when I use FTK to mount with the 'file system' option though? Maybe this is something to do with how Windows handles virtual disks? I did play around with the virtual services running but to no avail.
Anyone else experiencing this problem or have a work around?
Many thanks
I had the same problem and contacted Access Data. Below is their response. I did what is listed below and it now works fine - Ray
Here is the information I have on the Blue Screens and Imager.
Symptom When mounting an image using Imager 3.0 and Windows 7 x64 a error occurs that causes the system to crash and blue screen.
Cause An outdated driver that must be removed.
Solution Go to your C\Windows\System32\drivers folder (assuming your Windows 7 OS is installed on C). You should see two files in that folder that have names like GUID naming – for instance, on my machine they appear as follows
{1ec00332-9da9-436d-9aaa-048787df45b6}.sys
{E7224BCD-D889-4528-8456-60CE0724367E}.sys
Your files won't be named exactly the same as mine but they will look similar in their naming convention.
Once you have located these, right mouse click on the first one and select Properties and then click on the 'Digital Signatures' tab. If the date in the Timestamp column reads 'October', we suspect this signature is old and is causing the crash. If it's not October, check the second file. In order to get around the problem, uninstall Imager once more and then go to this directory and manually delete these two files. Then reinstall Imager and try the Mount Image option. New files in this location will be created when you do the Mount Image and they should be correct this time.
rayp,
Many thanks for the reply. I tried the solution offered by AD as outlined in your response and still no luck. It would seem that the 45b6}.sys driver is the problem as this is commented within the BSoD but removing it, letting it be reinstalled, removing the other .sys etc still didn't work (tried all permentations I can think of).
I am still thinking there is another underlying problem as the drives are not mounting correctly. I can quite happily view the file structure when I select 'file system' but whenever I use phy/log the drives appear in Explorer but unfortunately they are not accessible as logical devices.
I can live with the BSoD on closure (as I did before) but being able to mount EWF files for LiveView would be very nice.
This is starting to be frustrating and I think I will try the Python mounting route.
Many thanks for your response.
Shep