How to mount an EWF image file (E01) on Linux

Often, during a forensic analysis, you may need to explore an EWF image (usually a file with .E0X extension) in order to extract some artifacts.

EWF files (Expert Witness Format) are a type of disk image, that contain the contents and structure of an entire data storage device, a disk volume, or (in some cases) a computer’s physical memory (RAM).

EWF files consist of one or more sections, each with its own header and section-level fixity data, usually in the form of an Adler-32 checksum, compressed into 32 kb chunks which are stored back to back in groupings inside the file to improve random access efficiency.

EWF files may take one of two forms

The first is referred to as a “bitstream or forensic image”: a sector-by-sector copy of the source, replicating the structure and contents of the storage device independent of the file system, including inactive data like the files and fragments that reside in unallocated space including deleted files that have not yet been overwritten.

The second form is called “logical evidence file” and it preserves the original files as they existed on the media and also documents this metadata:

  • assigned file name and extension
  • datetime created, modified, and last accessed
  • logical and physical size
  • MD5 hash value
  • permissions
  • starting extention and original path

Logical evidence files are typically created after an analysis locates some files of interest, and for forensic reasons, they are kept in an “evidence grade” container.

Below i will show my workflow to mount a forensically acquired hard disc drive or partition image in Expert Witness format on an Linux system.


Install needed packages

On a Debian system, simply need to install ewf-tools package:

# apt install ewf-tools

Mount the EWF container

Operating as root, create a directory and use it as mountpoint, in order to mount che EWF container:

# mkdir rawimage
# ewfmount IMAGE.E01 ./rawimage/
# cd rawimage/
# ls -lah
totale 4,0K
drwxr-xr-x 2 root root 0 gen 1 1970 .
drwxrwxrwx 6 root root 4,0K apr 3 14:06 ..
-r--r--r-- 1 root root 239G apr 3 14:29 ewf1


Mount the bitstream image

Finally create another mountpoint and mount the ewf1 disk image as loop device:

# mkdir mountpoint # mount ./rawimage/ewf1 ./mountpoint -o ro,loop,show_sys_files,streams_interace=windows 
# cd mountpoint
# ls -lah
totale 4,8G
drwxrwxrwx 1 root root 24K mar 29 16:31 .
drwxrwxrwx 6 root root 4,0K apr 3 14:06 ..
-rwxrwxrwx 1 root root 2,5K set 21 2017 $AttrDef
-rwxrwxrwx 1 root root 0 set 21 2017 $BadClus
-rwxrwxrwx 1 root root 7,5M set 21 2017 $Bitmap
-rwxrwxrwx 1 root root 8,0K set 21 2017 $Boot
-rwxrwxrwx 1 root root 376K lug 16 2016 bootmgr
-rwxrwxrwx 1 root root 1 lug 16 2016 BOOTNXT
drwxrwxrwx 1 root root 4,0K mar 7 08:22 Config.Msi

Update 2019/02/23

Some readers reports some errors during the second step (“mount the bitstream image”).

In some cases, when the acquired disk contains a complex partition table, the process needs an additional step.

First, using fdisk -l get a list of partition in ewf file:

fdisk -l ewf1

Disk ewf1: 111,8 GiB, 120034123776 bytes, 234441648 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 62A81BB1-B2FA-426B-8765-E370D69949A7
Device Start End Sectors Size Type
/dev/sda1 2048 1050623 1048576 512M EFI System
/dev/sda2 1050624 217909247 216858624 103,4G Linux filesystem
/dev/sda3 217909248 234440703 16531456 7,9G Linux swap

Then, mount the image using the offset of the correct partition (1050624 * 512=byte offset):

mount ./rawimage/ewf1 ./mountpoint -o ro,loop,show_sys_files,streams_interace=windows,offset=$((1050624*512)) 
That’s all!

References

Related posts

  1. Full Disk Encryption: tools and setup suggestion for personal data protection
  2. The “distroless” approach to Docker containers
  3. How to create a VirtualBox VM from command line
  4. How to upgrade BIOS on a Lenovo laptop running linux
  5. Windows Forensics: analysis of Recycle bin artifacts