Mount EWF (E01) on Linux

Mounting Expert Witness Format (EWF) / EnCase (E01) using the latest software.

I see that the links I included in my last blog posting are no longer available:
http://stephenventer.blogspot.com/2009/02/mount-ewf-e01-on-linux.html

So here's a quick update on getting EWF mounting capabilities installed on a new Ubuntu install [in this case the 64-bit version of Jaunty Jackalope Ubuntu 9.04]

The libewf software is now available at:
http://sourceforge.net/projects/libewf/

The files I downloaded were:
steve@jj:~/software/EWF$ ls -1
disktype-libewf.patch
EWF_file_format.pdf
libewf-20080501.tar.gz
libewf-beta-20090506.tar.gz
mount_ewf-20080513.py


== Install the required build dependencies
-- the required Debian packages in Ubuntu are: zlib1g-dev libssl-dev uuid-dev
$ sudo apt-get install zlib1g-dev libssl-dev uuid-dev

== Create Debian (.deb) packages to install
Since the downloads are now standard source code format, I tried to create Debian (.deb) packages using the guidance here: http://www.quietearth.us/articles/2006/08/16/Building-deb-package-from-source

Step 1: Install required dependency packages:
$ sudo apt-get install autotools-dev fakeroot dh-make build-essential

Step 2: Copy the source code tarball to /tmp and extract the contents there steve@jj:~/software/EWF$ cp libewf-beta-20090506.tar.gz /tmp/
steve@jj:~/software/EWF$ cd /tmp/
steve@jj:/tmp$ tar -zxf libewf-beta-20090506.tar.gz
steve@jj:/tmp$ cd libewf-20090506/
steve@jj:/tmp/libewf-20090506$

Step 3a: No need to make the debian control files, since they are already there [in the debian/ sub-folder]

Step 3b: Build the debian package:
steve@jj:/tmp/libewf-20090506$ sudo dpkg-buildpackage -rfakeroot
** this ended with the following output:
signfile libewf_20090506-1.dsc
gpg: WARNING: unsafe ownership on configuration file `/home/steve/.gnupg/gpg.conf'
gpg: skipped "Joachim Metz ": secret key not available
gpg: [stdin]: clearsign failed: secret key not available

dpkg-genchanges >../libewf_20090506-1_amd64.changes
dpkg-genchanges: including full source code in upload
dpkg-buildpackage: full upload (original source is included)
dpkg-buildpackage: warning: Failed to sign .dsc and .changes file
steve@jj:/tmp/libewf-20090506$

Step 3c: List the newly created files:
steve@jj:/tmp/libewf-20090506$ cd ..
steve@jj:/tmp$ ls -ld libewf*
drwxr-xr-x 15 steve steve 4096 2009-05-08 18:41 libewf-20090506
-rw-r--r-- 1 root root 2262 2009-05-08 18:42 libewf_20090506-1_amd64.changes
-rw-r--r-- 1 root root 177340 2009-05-08 18:42 libewf_20090506-1_amd64.deb
-rw-r--r-- 1 root root 511 2009-05-08 18:40 libewf_20090506-1.diff.gz
-rw-r--r-- 1 root root 826 2009-05-08 18:40 libewf_20090506-1.dsc
-rw-r--r-- 1 root root 810174 2009-05-08 18:40 libewf_20090506.orig.tar.gz
-rw-r--r-- 1 steve steve 809523 2009-05-08 18:22 libewf-beta-20090506.tar.gz
-rw-r--r-- 1 root root 222562 2009-05-08 18:42 libewf-dev_20090506-1_amd64.deb
-rw-r--r-- 1 root root 195290 2009-05-08 18:42 libewf-tools_20090506-1_amd64.deb

== Install the newly created .deb packages:
steve@jj:/tmp$ sudo dpkg -i libewf*.deb
Selecting previously deselected package libewf.
(Reading database ... 109479 files and directories currently installed.)
Unpacking libewf (from libewf_20090506-1_amd64.deb) ...
Selecting previously deselected package libewf-dev.
Unpacking libewf-dev (from libewf-dev_20090506-1_amd64.deb) ...
Selecting previously deselected package libewf-tools.
Unpacking libewf-tools (from libewf-tools_20090506-1_amd64.deb) ...
Setting up libewf (20090506-1) ...

Setting up libewf-dev (20090506-1) ...
Setting up libewf-tools (20090506-1) ...
Processing triggers for man-db ...
Processing triggers for libc6 ...
ldconfig deferred processing now taking place
steve@jj:/tmp$


== To use the mount_ewf script, need to install python-fuse:
steve@jj:/tmp$ sudo apt-get install python-fuse


== Create a mount.ewf executable in the /sbin directory and grant it "execute" permissions:
steve@jj:/tmp$ cd
steve@jj:~$ cd software/EWF/
steve@jj:~/software/EWF$ cp mount_ewf-20080513.py /sbin/mount.ewf
cp: cannot create regular file `/sbin/mount.ewf': Permission denied
steve@jj:~/software/EWF$ sudo cp mount_ewf-20080513.py /sbin/mount.ewf
steve@jj:~/software/EWF$ sudo chmod +x /sbin/mount.ewf


== And that's it - ready to go:
steve@jj:~/software/EWF$ mount.ewf
Using libewf-20090506. Tested with libewf-20080501.
Usage:
mount.ewf [options]

Note: This utility allows EWF files to be mounted as a filesystem containing a flat disk image. can be any segment of the EWF file. To be identified, all files need to be in the same directory, have the same root file name, and have the same first character of file extension. Alternatively, multiple filenames can be specified in different locations in the order to be reassembled.


ewf segment filename(s) required.
steve@jj:~/software/EWF$

== Refer to this blog posting for how to mount the EWF files: http://stephenventer.blogspot.com/2009/02/mount-ewf-e01-on-linux.html

Mount EWF (E01) on Linux

Note: also refer to http://stephenventer.blogspot.com/2009/05/mount-ewf-e01-on-linux.html

To mount and view the contents of a forensically acquired hard disc drive or partition image in an Expert Witness Format (EWF) file, i.e. EnCase (E01) format (including compressed and / or split files), on an Ubuntu Linux system, try the following:

Download the libewf packages
These packages were obtained from: https://www.uitwisselplatform.nl/projects/libewf/
The download location is: https://www.uitwisselplatform.nl/frs/?group_id=53&release_id=369

The current ones I used were:

libewf_20080501
libewf-devel_20080501
libewf-tools_20080501 and
mount_ewf-20080513.py

For ease of installation on an Ubuntu system, create Debian package files (.deb) from the Red Hat Package (.rpm) files

This can be done using the Alien package tools on Ubuntu: http://www.howtoforge.com/converting_rpm_to_deb_with_alien

Install the packages

There are various dependencies that are needed for these packages, but the package installer application (dpkg) should help you identify and install those.

The "Install instructions for mount_ewf" are here: https://www.uitwisselplatform.nl/docman/view.php/53/169/readme.txt
Note: the FusePython package in Debian is called "python-fuse", so to install it execute this instruction at a command line: sudo apt-get install python-fuse
Also, in the example below I used the originally downloaded Python script (mount_ewf-20080513.py), but the instructions referenced in the readme.txt above would allow you to use the version copied to the new file: /sbin/mount.ewf

Mount the E01 / EWF contents to the folder
Note: For this example I will created the folder /mnt/e01 and used it as the mount location to view the contents of the image split files (in this case the image was obtained in thirteen files: imaged-drive.E01 throuth imaged-drive.E13 - so the command executed makes a reference to these files using the wildcard character "*", i.e. "imaged-drive.E*").

steve@ubuntu:/media/source/img$ sudo mkdir /mnt/e01
steve@ubuntu:/media/source/img$ sudo /home/steve/software/ewf/mount_ewf-20080513.py imaged-drive.E* /mnt/e01
steve@ubuntu:/media/source/img$ sudo ls -l /mnt/e01
total 38993865
-r--r--r-- 1 root root 40020664320 1970-01-01 01:00 imaged-drive
-r--r--r-- 1 root root 339 1970-01-01 01:00 imaged-drive.txt

View the partition table structure of the newly mounted image file to identify the start sector location of the partition(s) you want to mount
Note: in the example below, the drive image file has only one partition ("imaged-drive1") which starts at sector number 63 - when this is multiplied by the number of bytes per sector of 512, gives you the byte offset value of the start of that partition as: 63*512=32256

steve@ubuntu:/media/source/img$ sudo fdisk -lu /mnt/e01/imaged-drive
You must set cylinders.
You can do this from the extra functions menu.

Disk /mnt/e01/imaged-drive: 0 MB, 0 bytes
240 heads, 63 sectors/track, 0 cylinders, total 0 sectors
Units = sectors of 1 * 512 = 512 bytes
Disk identifier: 0xd6b5d6b5

Device Boot Start End Blocks Id System
/mnt/e01/imaged-drive1 * 63 78155279 39077608+ 7 HPFS/NTFS
Partition 1 has different physical/logical endings:
phys=(1023, 239, 63) logical=(5168, 239, 63)

Associate the image file (per the EWF contents) with a loop device using losetup
Note: you should mount this in "read-only" mode (i.e. specify the switch "-r") and per the calculation above, the starting byte offset of this partition, within the drive image, is at: 63*512=32256; If you try this and get the response "Permission denied", check to see you specified "-r"; In this case no loop devices are used, so the first one available for use is "loop0"

steve@ubuntu:/media/source/img$ sudo losetup -o32256 -r /dev/loop0 /mnt/e01/imaged-drive

Mount this loop device to a directory
Note: remember to mount this as "read only", i.e. with option "ro"; The "loop" option will also be needed here to mount this as another loop device on the local system; The next available loop device will automatically be allocated - in this case it was "loop1"; First I created a new directory (/mnt/imaged-drive_c) to use as a mount point location for this step.

$ sudo mkdir /mnt/imaged-drive_c
$ sudo mount /dev/loop0 /mnt/imaged-drive_c/ -o loop,ro
$ df -h
..
/dev/loop1 38G 31G 7.1G 81% /mnt/imaged-drive_c
$ mount
..
/dev/loop1 on /mnt/imaged-drive_c type fuseblk (ro,nosuid,nodev,allow_other,blksize=4096)

The file system (NTFS in this case) is now viewable and available for things like anti virus scans, exploring, etc

$ ls -l /mnt/imaged-drive_c/
total 964001
-rwxrwxrwx 1 root root 0 2004-02-06 13:47 AUTOEXEC.BAT
-rwxrwxrwx 1 root root 176 2005-09-12 11:09 boot.ini
-rwxrwxrwx 1 root root 241 2004-09-30 17:10 BOOTLOG.TXT
...snip...

Note: These steps should work on other Linux distributions, e.g. Fedora, but I have not personally tested it on them yet.