Changing EWF Protected Drive on Existing Images

[Desi]

Everyone,

Is there a procedure to change the EWF protected volume without
re-creating the image and re-running FBA, etc?

I have several devices that have the D: drive protected, and what we
desire is to have the C: drive protected. For the moment, we have just
disabled EWF entirely, but that is obviously not a good long term
solution.

EWF is configured for RAM overlay.

Thanks in advance,
Desi

 

[Slobodan Brcin \(eMVP\)]

Desi,

1. Delete EWF partition with etprep tool for instance.
2. from regedit Go to services\ewf\fba change parameters there.
3. rundll32 ewfdll.dll ConfigureEwf

Have fun

Regards,
Slobodan
PS: You can use registry configured EWF it is much better for purpose that
you want.
http://www.slobodanbrcin.com/xpe/ewf/regramewf.html

 

[Desi]

Thank you (Again), Slobodan.

I will give it a try. I don't suppose that anyone has scripted this
into a DUA script, by any chance?

Is it even possible to do it via DUA or WshScript?

 

[Slobodan Brcin \(eMVP\)]

Desi,

You can do that from DUA. But although this requst sound little strange.

Regards,
Slobodan

 

[Desi]

Which part of the request sounds strange? The DUA script, or the
WshScript? Or did I miss your point?

Desi

 

[Slobodan Brcin \(eMVP\)]

Re: Changing EWF Protected Drive on Existing Images

Why do you need that?

If you use Reg RAM EWF then you can do that just by editing registry ARC
part of EWF and reoobting computer. (Provided that you commit registry
change)

If you need to change diks EWF configuration or RAM EWF then you will have
to stop EWF delete/invalidate config partition change in EWF/FBA arc path
and then tell ewf to recreate partition, then you need to reboot.

Regards,

Slobodan

 

[Desi]

Slobodan,

I have a disk (D that is currently protected with a RAM EWF
partition. The HKLM\SYSTEM\currentControlSet\Services\EWF\fba key's
OVSize value is set to 0. If I run "ewfmgr d:" then I get back that EWF
is "ENABLED" for that disk.

When I look at the disk with the Disk Management MMC Snap-in, I cannot
see a partition created for EWF. Does this mean that I already have a
Reg RAM overlay? Or is this partition hidden to the Disk Manager
snap-in?

Additionally, I want to move the EWF protection from drive D: to Drive
C:. If I already have a Reg RAM then this is easier. Either way, I have
to change the ARC path, I think, since it shows
"multi(o)disk(0)rdisk(1)partition(1)", which is Drive D:

The issue is that we have devices that are no longer accessible, and we
need to change the protected drive to make it C:

 

[Slobodan Brcin \(eMVP\)]

Desi,

If it it RAM EWF then you can reconfigure it easily to Reg RAM EWF. By
deleting small hidden partition and adding few registry entries per doc.
diskpart.exe can see it and delete it. (Disk Manager does not see it).
etprep can delete it also.

Yes just chnge this value: multi(o)disk(0)rdisk(1)partition(1)
In case that this is OS partition which was protected you should commit EWF
overlay also.

Please let us know about you disk/partition layout, volume letters
assignement, EWF assignement, and where is boot.ini ans OS located.

Regards,
Slobodan