Often, during a forensic analysis, you may need to explore an EWF image (usually a file with .E0X extension) in order to extract some artifacts.

EWF files (Expert Witness Format) are a type of disk image, that contain the contents and structure of an entire data storage device, a disk volume, or (in some cases) a computer's physical memory (RAM).

EWF files consist of one or more sections, each with its own header and section-level fixity data, usually in the form of an Adler-32 checksum, compressed into 32 kb chunks which are stored back to back in groupings inside the file to improve random access efficiency.

EWF files may take one of two forms

The first is referred to as a "bitstream or forensic image": a sector-by-sector copy of the source, replicating the structure and contents of the storage device independent of the file system, including inactive data like the files and fragments that reside in unallocated space including deleted files that have not yet been overwritten.

The second form is called "logical evidence file" and it preserves the original files as they existed on the media and also documents this metadata:

  • assigned file name and extension
  • datetime created, modified, and last accessed
  • logical and physical size
  • MD5 hash value
  • permissions
  • starting extention and original path

Logical evidence files are typically created after an analysis locates some files of interest, and for forensic reasons, they are kept in an "evidence grade" container.

Below i will show my workflow to mount a forensically acquired hard disc drive or partition image in Expert Witness format on an Linux system.

Install needed packages

On a Debian system, simply need to install ewf-tools package:

# apt install ewf-tools

Mount the EWF container

Operating as root, create a directory and use it as mountpoint, in order to mount che EWF container:

# mkdir rawimage
# ewfmount IMAGE.E01 ./rawimage/
# cd rawimage/
# ls -lah
totale 4,0K
drwxr-xr-x 2 root root 0 gen 1 1970 .
drwxrwxrwx 6 root root 4,0K apr 3 14:06 ..
-r--r--r-- 1 root root 239G apr 3 14:29 ewf1

Mount the bitstream image

Finally create another mountpoint and mount the ewf1 disk image as loop device:

# mkdir mountpoint # mount ./rawimage/ewf1 ./mountpoint -o ro,loop,show_sys_files,streams_interace=windows 
# cd mountpoint
# ls -lah
totale 4,8G
drwxrwxrwx 1 root root 24K mar 29 16:31 .
drwxrwxrwx 6 root root 4,0K apr 3 14:06 ..
-rwxrwxrwx 1 root root 2,5K set 21 2017 $AttrDef
-rwxrwxrwx 1 root root 0 set 21 2017 $BadClus
-rwxrwxrwx 1 root root 7,5M set 21 2017 $Bitmap
-rwxrwxrwx 1 root root 8,0K set 21 2017 $Boot
-rwxrwxrwx 1 root root 376K lug 16 2016 bootmgr
-rwxrwxrwx 1 root root 1 lug 16 2016 BOOTNXT
drwxrwxrwx 1 root root 4,0K mar 7 08:22 Config.Msi

Update 2020/07/05

Some readers reports some errors during the second step ("mount the bitstream image").

In some cases, when the acquired disk contains a complex partition table, the process needs an additional step.

First, you need to enable partition support in loop driver: unload loop and load it again with the desired value for the max_part options, e.g.

# modprobe -r loop
# modprobe loop max_part=8

Then, using fdisk -l get a list of partition in ewf file:

fdisk -l ewf1

Disk ewf1: 111,8 GiB, 120034123776 bytes, 234441648 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 62A81BB1-B2FA-426B-8765-E370D69949A7
Device Start End Sectors Size Type
/dev/sda1 2048 1050623 1048576 512M EFI System
/dev/sda2 1050624 217909247 216858624 103,4G Linux filesystem
/dev/sda3 217909248 234440703 16531456 7,9G Linux swap

Finally, mount the image using the offset of the correct partition (1050624 * 512=byte offset):

mount ./rawimage/ewf1 ./mountpoint -o ro,loop,show_sys_files,streams_interace=windows,offset=$((1050624*512)) 

That's all!