EWF works on CD

[Dietmar]

Hi Slobodan,
does this Tutorial from SFiorito answer Your question to persuade EWF to
work on CD?
And do You are interested to write a new Tutorial
of booting from CD with another method than described until now?

Dietmar

 

[Guest]

Where is the tutorial?? posted

Srivathsan

 

[Dietmar]

Hi Srivathsan,

its here

http://mason.gmu.edu/~sfiorito/eXPinstall.htm

and i posted it to this forum too.

Dietmar

 

[Slobodan Brcin \(eMVP\)]

Hi Dietmar,

I help me to install EWF on partition that accidentally in this example
belong to CF (not CD).
And thanks for info but I really know how to install Registry Configured RAM
EWF, like I said someone need to test this on CD. You don't need to boot
from CD just try configuring EWF ARC path or device name so that when you
type
ewfmgr d: (d: if your CD) you don't get an error but instead report that EWF
is enabled.

Regards,
Slobodan

 

[Dietmar]

Hi Slobodan,

I testet this with no success.
As described by Microsoft EWF...Volume0
I testet \device\harddisk0\partition1(2,3,4) instead of Arcpath and EWF
works there.
But \device\CdRom1 which is related to DVD drive with Dos letter F doesnt
work. I added also a new key with name VolumeID REG_SZ
(TYP){bdf0235e-5e57-11d9-ad5f-806d6172696f}

which belongs to that DVD drive but it doesnt work. So I think with such
easy changes it is impossible to protect CD (DVD) drive with EWF.

Dietmar

 

[Slobodan Brcin \(eMVP\)]

UpperFilters value that point to EWF should be probably moved from volumes
to some other category, but like IO said there is a little chance that this
will actually work.

Regards,
Slobodan

 

[Dietmar]

Hi Slobodan,
it must be possible that EWF works on CD.

The problem is, that you cant ADRESS cdroms for EWF but only harddrives.

So You have to mask CdRom as harddrive partition.

If the XPE image on CD runs with EWF enabled it WORKS on that CD (no
message "delayed write failed"), but you see a harddrive and the CD which
belongs to that "harddrive".
But is that important? I make a try with WinPE
as a partition on harddrive, enable EWF there using normal windows logon
(no minint) and burn it then to CD.

There is one problem to me: Does You ore anyone here knows a program,
which with you can open ISO file from a BOOT CD and see the files and
folders on that BOOTCD ISO image? I tried so many programs, but only
hexeditor works.

Dietmar

 

[Slobodan Brcin \(eMVP\)]

Dietmar,

If the XPE image on CD runs with EWF enabled it WORKS on that CD (no
message "delayed write failed"), but you see a harddrive and the CD which
belongs to that "harddrive".

You are missing the whole concept here. Under Windows XP(e) architecture
hardware is irrelevant and drivers are what only things that what you call
OS can see.
Having said that you have one important stack of drivers.

disk.sys
- partmgr.sys
- ftdisk.sys
- dmio.sys
- ewf.sys
-- Filesystems NTFS, FAT
--- Your applications and something that most people call XP, OS, etc (not
me though)

So as you can see these are all drivers loaded above disk.sys higher level
driver communicate with lower level drivers not with hardware, and they have
no idea what hardware is.
Specific hardware is handled by drivers below disk.sys driver and hardware
can be HDD, ramdisk, network disk, USB disk, and who knows what else as long
as that lower driver virtualizes this device to the same language that
disk.sys driver knows.

In case when you use El-torito driver you probably have something like:
cdrom.sys
- cdfs.sys
- eltorito.sys
-- disk.sys

So as you can see cdrom know how to support cd drive device.
cdfs.sys is native filesystem support for CD.
eltorito.sys is for virtualizing standard el-torito section recorded on CD
and presenting it to disk.sys driver as HDD.

So ewf.sys have no idea that it is working with CD or any other physical
medium for that matter. EWF is just a filter driver that intercept talk
between other drivers, only that, nothing more nothing less.

If you want to use EWF natively on cd this will prove to be very hard
(impossible) because current EWF implementation would need to upperfilter
driver.

So you would need something like:

cdrom.sys
- ewf.sys
-- cdfs.sys
--- Applications.
Even if you could do that (perhaps possible perhaps not) cdfs.sys do not
support write operations for sure so EWF filter would never get write
requests and so it's function would be irrelevant.


So conclusion:
You might be able to make EWF work on "CD", but you can't deal with cdfs.sys
which is the real problem here anyhow so all your attemps will be futile.

Regards,
Slobodan

 

[Dietmar]

Hi Slobodan,
do You know wether WinPE make use of eltority.sys?

And: If EWF works on FAT or NTFS filesystem these problems disappears.

Dietmar

 

[Slobodan Brcin \(eMVP\)]

Hi Dietmar,

Do you see eltorito.sys on your WinPE image? I do not see it in my image.
I think that I have mentioned that WinPE use native boot from CD trough
cdfs.sys drivers.

And: If EWF works on FAT or NTFS filesystem these problems disappears.

With dots in my previous post I tries to mark higher level drivers the more
dots the higher driver is in the chain.
So EWF do not know what FAT or NTFS are, EWF is bellow FS not above it.

EWF deals with RAW sector data not with files.

Regards,
Slobodan