EWF confusion – RAM or RAMReg mode?

27 04 2011

Quite often I am running into this at customers: “What shall we choose: RAM or RAMReg mode for EWF?”
Of course my answer always starts with “ It depends…”Winking smile, but in this case it is often quite clear: RAMReg should be the preferred option!
Why?
Well, the only difference between both modes is the configuration table, which in RAM mode is stored in an additional, small partition on the disk. The additional partition is of a special type, which is not always recognized by disk cloning tools. The EWF configuration partition not seldom leads to cloning errors and strange EWF behavior, if not handled correctly.
In contrast RAMReg stores the partition table in registry. Benefits are that you do not have to handle an additional partition, therefore cloning is easier and much less error prone.
However, having settings stored in registry means that is this partition is protected you need to commit and disable the filter, if you want to change its settings. The registry, in this case, is protected by EWF as well.

Alexander


Actions

Information

3 responses

21 06 2011
tin

Hi Alex,

I have a question.
Say I have two disk partitions, C:\ and D:\, C is where the OS installed.

If I applied -disable on C, and -enable on D, and why registry is enabled with EWF?
on which partition does the registry located? in my understanding the registry located on the same partition where OS is installed.

Also, how can I configure registry to be protected/unprotected?

21 06 2011
alexwech

The registry hives can be found in C:\Windows\System32\config, if C is your OS partition.
If You do not protect C as You described, persisting registry info should be no problem. If You are using EWF on C: use the registry filter component to unprotect specific registry keys.

Cheers
Alexander

22 06 2011
tin

Thanks Alex, your answer helps.🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: