EWF RAM and RAM REG info

[PJC]

Hi all,

I read in an earlier post this week the following statement:

"You should use "ewfmgr c: -commitanddisable" when using EWF RAM REG.
"-live" switch is only for EWF RAM. "

I have been combing through Microsoft's documentation on MSDN. I
haven't seen much detailed info like this.

Has on "EWF Bible" been put out anyhwere that covers the latest
enhancements to EWF?

Is there somewhere else I should be looking for for detailed
documentation?

Thanks!

PJC

 

[XPEnew]

I found this and it tells you what command to use for EWF RAM or EWF RAM
REG:

http://msdn.microsoft.com/library/d...xpehelp/html/xeoriewfdesignconsiderations.asp

 

[Slobodan Brcin \(eMVP\)]

Hi,

-live switch is related to any "RAM EWF". So you should be able to use it with EWF RAM REG also.
It will allow your operation to be executed imediately insead of being postponed to gracefull shutdown time.

Try ewfmgr c: -commitanddisable -live
It should write overlay to disk imediately and turn off the EWF protection during the process.

Regards,
Slobodan

 

[Mark K Vallevand]

Can this be immediately followed by a ewfmgr c: -enable -live ?

--
Regards.
Mark K Vallevand (e-mail address removed)

Beer is living proof that God loves us and wants us to be happy.
- Benjamin Franklin


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.

 

[PJC]

I have used:

ewfmgr c: -commitanddisable -live

with EWF RAM-REG. I do not believe that you can "-enable -live"

Is anyone working on any comprehensive documentation for EWF?

 

[Slobodan Brcin \(eMVP\)]

I have never tried "-enable -live" but I would be suprised if it was working since it would be EXTREMELY damaging option.
If you was able to enable it from running OS then you would leave FS in open undefined state and during each boot you would have
problems.

So this option would be easy to enable by MS but it would be serious implementation flaw in EWF driver.

Is anyone working on any comprehensive documentation for EWF?

You can always ask here for info that you need or provide feedback to MS for required functions. But normal functionality is
documented as far as I know.

Regards,
Slobodan