Often, during a forensic analysis, you may need to explore an EWF image (usually a file with .E0X extension) in order to extract some artifacts.
EWF files (Expert Witness Format) are a type of disk image, that contain the contents and structure of an entire data storage device, a disk volume, or (in some cases) a computer's physical memory (RAM).
EWF files consist of one or more sections, each with its own header and section-level fixity data, usually in the form of an Adler-32 checksum, compressed into 32 kb chunks which are stored back to back in groupings inside the file to improve random access efficiency.
EWF files may take one of two forms
The first is referred to as a "bitstream or forensic image": a sector-by-sector copy of the source, replicating the structure and contents of the storage device independent of the file system, including inactive data like the files and fragments that reside in unallocated space including deleted files that have not yet been overwritten.
The second form is called "logical evidence file" and it preserves the original files as they existed on the media and also documents this metadata:
- assigned file name and extension
- datetime created, modified, and last accessed
- logical and physical size
- MD5 hash value
- starting extention and original path
Logical evidence files are typically created after an analysis locates some files of interest, and for forensic reasons, they are kept in an "evidence grade" container.
Below i will show my workflow to mount a forensically acquired hard disc drive or partition image in Expert Witness format on an Linux system.
Install needed packages
On a Debian system, simply need to install ewf-tools package:
# apt install ewf-tools
Mount the EWF container
Operating as root, create a directory and use it as mountpoint, in order to mount che EWF container:
# mkdir rawimage # ewfmount IMAGE.E01 ./rawimage/ # cd rawimage/ # ls -lah totale 4,0K drwxr-xr-x 2 root root 0 gen 1 1970 . drwxrwxrwx 6 root root 4,0K apr 3 14:06 .. -r--r--r-- 1 root root 239G apr 3 14:29 ewf1
Mount the bitstream image
Finally create another mountpoint and mount the ewf1 disk image as loop device:
# mkdir mountpoint # mount ./rawimage/ewf1 ./mountpoint -o ro,loop,show_sys_files,streams_interace=windows
# cd mountpoint
# ls -lah
drwxrwxrwx 1 root root 24K mar 29 16:31 .
drwxrwxrwx 6 root root 4,0K apr 3 14:06 ..
-rwxrwxrwx 1 root root 2,5K set 21 2017 $AttrDef
-rwxrwxrwx 1 root root 0 set 21 2017 $BadClus
-rwxrwxrwx 1 root root 7,5M set 21 2017 $Bitmap
-rwxrwxrwx 1 root root 8,0K set 21 2017 $Boot
-rwxrwxrwx 1 root root 376K lug 16 2016 bootmgr
-rwxrwxrwx 1 root root 1 lug 16 2016 BOOTNXT
drwxrwxrwx 1 root root 4,0K mar 7 08:22 Config.Msi
Some readers reports some errors during the second step ("mount the bitstream image").
In some cases, when the acquired disk contains a complex partition table, the process needs an additional step.
First, you need to enable partition support in loop driver: unload
loop and load it again with the desired value for the
max_part options, e.g.
# modprobe -r loop # modprobe loop max_part=8
Then, using fdisk -l get a list of partition in ewf file:
fdisk -l ewf1
Disk ewf1: 111,8 GiB, 120034123776 bytes, 234441648 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 62A81BB1-B2FA-426B-8765-E370D69949A7
Device Start End Sectors Size Type
/dev/sda1 2048 1050623 1048576 512M EFI System
/dev/sda2 1050624 217909247 216858624 103,4G Linux filesystem
/dev/sda3 217909248 234440703 16531456 7,9G Linux swap
Finally, mount the image using the offset of the correct partition (1050624 * 512=byte offset):
mount ./rawimage/ewf1 ./mountpoint -o ro,loop,show_sys_files,streams_interace=windows,offset=$((1050624*512))