EWF & Ram Overlay

  • Thread starter Thread starter Stuart Langley
  • Start date Start date
S

Stuart Langley

Hi All,

Does anybody know if it is possible to read the original contents at
run time of a file that might have been modified on a EWF protected
volume using a ram based overlay.

I need to be able to verify the original contents of a file on demand,
even though it may have been altered by the running OS. ( I am
thinking mainly registry/log files here ).

I intend to veryify the contents using a stored hash recorded
previously.

Thanks In Advance,

Stuart
 
Stuart,

It is possible, buuut you will need to open file directly in RAW mode by
bypasing EWF.
This is possible on driver lever, but you will need also to interpret file
system so you could find file that you want.

Trust me, you don't want to do this.

( I am
thinking mainly registry/log files here ).

I intend to veryify the contents using a stored hash recorded
previously.


Can you be more specific what you want to do?
There is probably different solution and much simpler than, fighting with
EWF.

Regards,
Slobodan
 
Hi Slobodan,

Thanks for your reply.

I have an application that has strict requirements for verification of
the installed image. This is typically done by doing a CRC over the
installed image and comparing the result to a copy held in escrow
offline.

I am planning on using CF & EWF so that my CF acts as a read only
device. Now I need to work out how I am going to do the CRC to get the
same result as the offline image.

I see two possibilities.

1. Use EWF and somehow get access to the underlying file system to do
the CRC over the original files. I have looked at the EWF API and can
not see a way to do this.

2. Move all transient files that would be changed while the system is
running to a second partition that the CRC will not be conducted on. I
am still looking into this. I am not sure if the main registry can be
stored on a seperate partition.

Do you have any suggestions?

Thanks In Advance,

Stuart
 
Stuart,

1. Very rough approximation of driver dependency.
DiskDriver->PartitionDriver->EWF->FS->Your App
As you can see you use file system directly. If you access Partition
directly by bypassing EWF there is not FS so you will need to parse it.

2. You can store whole copy of your OS to second partition, but why?
What do you think that you will gain?

BTW:
What do you think that you will get by using CRC? You can test integrity of
every file nothing more.
Most exe and dll files written for W2000 and XP have already plain checksum
that can be used to verify that they are ok.

If you want to be sure that your image files are not tampered then you will
need to create digital signatures for every file and to verify each file.

Regards,
Slobodan
 
Back
Top