How to mount an EWF image file (E01) on Linux

Often, during a forensic analysis, you may need to explore an EWF image (usually a file with .E0X extension) in order to extract some artifacts.

EWF files (Expert Witness Format) are a type of disk image, that contain the contents and structure of an entire data storage device, a disk volume, or (in some cases) a computer’s physical memory (RAM).

EWF files consist of one or more sections, each with its own header and section-level fixity data, usually in the form of an Adler-32 checksum, compressed into 32 kb chunks which are stored back to back in groupings inside the file to improve random access efficiency.

EWF files may take one of two forms

The first is referred to as a “bitstream or forensic image”: a sector-by-sector copy of the source, replicating the structure and contents of the storage device independent of the file system, including inactive data like the files and fragments that reside in unallocated space including deleted files that have not yet been overwritten.

The second form is called “logical evidence file” and it preserves the original files as they existed on the media and also documents this metadata:

  • assigned file name and extension
  • datetime created, modified, and last accessed
  • logical and physical size
  • MD5 hash value
  • permissions
  • starting extention and original path

Logical evidence files are typically created after an analysis locates some files of interest, and for forensic reasons, they are kept in an “evidence grade” container.

Below i will show my workflow to mount a forensically acquired hard disc drive or partition image in Expert Witness format on an Linux system.


Install needed packages

On a Debian system, simply need to install ewf-tools package:

# apt install ewf-tools

Mount the EWF container

Create a directory and use it as mountpoint, in order to mount che EWF container:

# mkdir rawimage
# ewfmount IMAGE.E01 ./rawimage/
# cd rawimage/
# ls -lah
totale 4,0K
drwxr-xr-x 2 root root 0 gen 1 1970 .
drwxrwxrwx 6 root root 4,0K apr 3 14:06 ..
-r--r--r-- 1 root root 239G apr 3 14:29 ewf1


Mount the bitstream image

Finally create another mountpoint and mount the ewf1 disk image as loop device:

# mkdir mountpoint # mount ./rawimage/ewf1 ./mountpoint -o ro,loop,show_sys_files,streams_interace=windows 
# cd mountpoint
# ls -lah
totale 4,8G
drwxrwxrwx 1 root root 24K mar 29 16:31 .
drwxrwxrwx 6 root root 4,0K apr 3 14:06 ..
-rwxrwxrwx 1 root root 2,5K set 21 2017 $AttrDef
-rwxrwxrwx 1 root root 0 set 21 2017 $BadClus
-rwxrwxrwx 1 root root 7,5M set 21 2017 $Bitmap
-rwxrwxrwx 1 root root 8,0K set 21 2017 $Boot
-rwxrwxrwx 1 root root 376K lug 16 2016 bootmgr
-rwxrwxrwx 1 root root 1 lug 16 2016 BOOTNXT
drwxrwxrwx 1 root root 4,0K mar 7 08:22 Config.Msi

Update 2019/02/23

Some readers reports some errors during the second step (“mount the bitstream image”).

In some cases, when the acquired disk contains a complex partition table, the process needs an additional step.

First, using fdisk -l get a list of partition in ewf file:

fdisk -l ewf1

Disk ewf1: 111,8 GiB, 120034123776 bytes, 234441648 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 62A81BB1-B2FA-426B-8765-E370D69949A7
Device Start End Sectors Size Type
/dev/sda1 2048 1050623 1048576 512M EFI System
/dev/sda2 1050624 217909247 216858624 103,4G Linux filesystem
/dev/sda3 217909248 234440703 16531456 7,9G Linux swap

Then, mount the image using the offset of the correct partition (1050624 * 512=byte offset):

mount ./rawimage/ewf1 ./mountpoint -o ro,loop,show_sys_files,streams_interace=windows,offset=$((1050624*512)) 
That’s all!

References

9 Replies to “How to mount an EWF image file (E01) on Linux”

  1. I was trying to enter this command

    mount ./rawimage/ewf1 ./mountpoint -o ro,loop,show_sys_files,streams_interface=Windows

    but it returned the following error:
    Mount: ./mountpoint/: failed to Setup Loop device for ./rawimage/ewf1

    is there something wrong with my kernel?
    #uname -r
    4.15.0-45-generic

  2. I am also experiencing the same issue as mentioned above by @Kurt.

    $ sudo mount -o ro,loop,show_sys_files,streams_interace=windows ./rawimage/ewf1 ./mountpoint

    mount: ./mountpoint: failed to setup loop device for ./rawimage/ewf1.

    My kernel version is 4.15.0-43-generic bionic beaver(Ubuntu 18.04)

    Can you please clarify this?

    1. I am getting the same issue. dmesg | tail returns the following immediately after I get “mount: ./mountpoint: failed to setup loop device for ./container/ewf1”

      “””
      [ 3944.072730] audit: type=1130 audit(1550918392.569:58): pid=1 uid=0 auid=4294967295 ses=4294967295 msg=’unit=systemd-hostnamed comm=”systemd” exe=”/usr/lib/systemd/systemd” hostname=? addr=? terminal=? res=success’
      [ 3974.148374] audit: type=1131 audit(1550918422.643:59): pid=1 uid=0 auid=4294967295 ses=4294967295 msg=’unit=systemd-hostnamed comm=”systemd” exe=”/usr/lib/systemd/systemd” hostname=? addr=? terminal=? res=success’
      [ 4364.012662] audit: type=1130 audit(1550918812.509:60): pid=1 uid=0 auid=4294967295 ses=4294967295 msg=’unit=systemd-hostnamed comm=”systemd” exe=”/usr/lib/systemd/systemd” hostname=? addr=? terminal=? res=success’
      [ 4394.070077] audit: type=1131 audit(1550918842.566:61): pid=1 uid=0 auid=4294967295 ses=4294967295 msg=’unit=systemd-hostnamed comm=”systemd” exe=”/usr/lib/systemd/systemd” hostname=? addr=? terminal=? res=success’
      [ 5163.251684] audit: type=1130 audit(1550919611.749:62): pid=1 uid=0 auid=4294967295 ses=4294967295 msg=’unit=user-runtime-dir@620 comm=”systemd” exe=”/usr/lib/systemd/systemd” hostname=? addr=? terminal=? res=success’
      [ 5163.263502] audit: type=1006 audit(1550919611.759:63): pid=2523 uid=0 old-auid=4294967295 auid=620 tty=(none) old-ses=4294967295 ses=4 res=1
      [ 5163.348494] audit: type=1130 audit(1550919611.843:64): pid=1 uid=0 auid=4294967295 ses=4294967295 msg=’unit=user@620 comm=”systemd” exe=”/usr/lib/systemd/systemd” hostname=? addr=? terminal=? res=success’
      [ 5661.124898] audit: type=1131 audit(1550920109.619:65): pid=1 uid=0 auid=4294967295 ses=4294967295 msg=’unit=user@620 comm=”systemd” exe=”/usr/lib/systemd/systemd” hostname=? addr=? terminal=? res=success’
      [ 5661.156508] audit: type=1131 audit(1550920109.653:66): pid=1 uid=0 auid=4294967295 ses=4294967295 msg=’unit=user-runtime-dir@620 comm=”systemd” exe=”/usr/lib/systemd/systemd” hostname=? addr=? terminal=? res=success’
      [ 6639.765655] loop: module loaded
      “””

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.