Monday, February 09, 2009

Mount EWF (E01) on Linux

Note: also refer to http://stephenventer.blogspot.com/2009/05/mount-ewf-e01-on-linux.html

To mount and view the contents of a forensically acquired hard disc drive or partition image in an Expert Witness Format (EWF) file, i.e. EnCase (E01) format (including compressed and / or split files), on an Ubuntu Linux system, try the following:

Download the libewf packages
These packages were obtained from: https://www.uitwisselplatform.nl/projects/libewf/
The download location is: https://www.uitwisselplatform.nl/frs/?group_id=53&release_id=369

The current ones I used were:
libewf_20080501
libewf-devel_20080501
libewf-tools_20080501 and
mount_ewf-20080513.py

For ease of installation on an Ubuntu system, create Debian package files (.deb) from the Red Hat Package (.rpm) files

This can be done using the Alien package tools on Ubuntu: http://www.howtoforge.com/converting_rpm_to_deb_with_alien

Install the packages

There are various dependencies that are needed for these packages, but the package installer application (dpkg) should help you identify and install those.

The "Install instructions for mount_ewf" are here: https://www.uitwisselplatform.nl/docman/view.php/53/169/readme.txt
Note: the FusePython package in Debian is called "python-fuse", so to install it execute this instruction at a command line: sudo apt-get install python-fuse
Also, in the example below I used the originally downloaded Python script (mount_ewf-20080513.py), but the instructions referenced in the readme.txt above would allow you to use the version copied to the new file: /sbin/mount.ewf

Mount the E01 / EWF contents to the folder
Note: For this example I will created the folder /mnt/e01 and used it as the mount location to view the contents of the image split files (in this case the image was obtained in thirteen files: imaged-drive.E01 throuth imaged-drive.E13 - so the command executed makes a reference to these files using the wildcard character "*", i.e. "imaged-drive.E*").
steve@ubuntu:/media/source/img$ sudo mkdir /mnt/e01
steve@ubuntu:/media/source/img$ sudo /home/steve/software/ewf/mount_ewf-20080513.py imaged-drive.E* /mnt/e01
steve@ubuntu:/media/source/img$ sudo ls -l /mnt/e01
total 38993865
-r--r--r-- 1 root root 40020664320 1970-01-01 01:00 imaged-drive
-r--r--r-- 1 root root 339 1970-01-01 01:00 imaged-drive.txt

View the partition table structure of the newly mounted image file to identify the start sector location of the partition(s) you want to mount
Note: in the example below, the drive image file has only one partition ("imaged-drive1") which starts at sector number 63 - when this is multiplied by the number of bytes per sector of 512, gives you the byte offset value of the start of that partition as: 63*512=32256
steve@ubuntu:/media/source/img$ sudo fdisk -lu /mnt/e01/imaged-drive
You must set cylinders.
You can do this from the extra functions menu.

Disk /mnt/e01/imaged-drive: 0 MB, 0 bytes
240 heads, 63 sectors/track, 0 cylinders, total 0 sectors
Units = sectors of 1 * 512 = 512 bytes
Disk identifier: 0xd6b5d6b5

Device Boot Start End Blocks Id System
/mnt/e01/imaged-drive1 * 63 78155279 39077608+ 7 HPFS/NTFS
Partition 1 has different physical/logical endings:
phys=(1023, 239, 63) logical=(5168, 239, 63)

Associate the image file (per the EWF contents) with a loop device using losetup
Note: you should mount this in "read-only" mode (i.e. specify the switch "-r") and per the calculation above, the starting byte offset of this partition, within the drive image, is at: 63*512=32256; If you try this and get the response "Permission denied", check to see you specified "-r"; In this case no loop devices are used, so the first one available for use is "loop0"
steve@ubuntu:/media/source/img$ sudo losetup -o32256 -r /dev/loop0 /mnt/e01/imaged-drive

Mount this loop device to a directory
Note: remember to mount this as "read only", i.e. with option "ro"; The "loop" option will also be needed here to mount this as another loop device on the local system; The next available loop device will automatically be allocated - in this case it was "loop1"; First I created a new directory (/mnt/imaged-drive_c) to use as a mount point location for this step.
$ sudo mkdir /mnt/imaged-drive_c
$ sudo mount /dev/loop0 /mnt/imaged-drive_c/ -o loop,ro
$ df -h
..
/dev/loop1 38G 31G 7.1G 81% /mnt/imaged-drive_c
$ mount
..
/dev/loop1 on /mnt/imaged-drive_c type fuseblk (ro,nosuid,nodev,allow_other,blksize=4096)

The file system (NTFS in this case) is now viewable and available for things like anti virus scans, exploring, etc
$ ls -l /mnt/imaged-drive_c/
total 964001
-rwxrwxrwx 1 root root 0 2004-02-06 13:47 AUTOEXEC.BAT
-rwxrwxrwx 1 root root 176 2005-09-12 11:09 boot.ini
-rwxrwxrwx 1 root root 241 2004-09-30 17:10 BOOTLOG.TXT
...snip...

Note: These steps should work on other Linux distributions, e.g. Fedora, but I have not personally tested it on them yet.
Posted by at
Labels: , , , ,

8 comments:

  1. Anonymous2:40 PM

    Thanks!!! btw libewf is standard on Helix, but requires the python-fuse package to perform the above.

    ReplyDelete
  2. Dave5:12 PM

    Hi. Happened to notice your post when looking for something else. Quick tip for usage. If you download and install disktype (http://disktype.sourceforge.net/) with the patch for libewf support (http://superb-east.dl.sourceforge.net/sourceforge/libewf/disktype-libewf.patch) you can add a "-o disktype" argument to your mount_ewf command line and it will figure out the partitions automatically. From there you can use a command line like "mount -o ro,loop /mnt/e01/imaged-drivep1 /mnt/imaged-drive_c/". Let the computer do the math for you. :)

    ReplyDelete
  3. CONTRA-TORPEDEIRO12:18 PM

    I'm trying to use mount_ewf but with poor results. In all attempts I made, the mounted unit comes with question mark. Exemple:
    mdelgado@mdelgado-$ mount_ewf.py WinXP2.E01 /mnt/analysis/EWF/
    mdelgado@mdelgado-$ cd /mnt/analysis$
    mdelgado@mdelgado-/mnt/analysis$ ls -al

    total 8
    drwxr-xr-x 3 root root 4096 2011-10-24 21:35 .
    drwxr-xr-x 5 root root 4096 2011-10-20 15:59 ..
    d????????? ? ? ? ? ? EWF

    And I can't access the EWF directory EWF content.

    Regards,

    M.Delgado

    ReplyDelete
  4. Obat Pendarahan Paru Paru6:41 AM

    Jelly Gamat QnC
    Obat Penghilang Mulas Perut
    Obat Asam Lambung Tinggi Pada Ibu Hamil
    Obat Menghentikan Pendarahan Di Rahim
    Jelly Gamat QnC
    Jelly Gamat QnC
    Jelly Gamat QnC
    Jelly Gamat QnC Tradisional
    QnC Jelly Gamat Multi Khasiat
    Agen QnC Jelly Gamat

    ReplyDelete
  5. Anonymous2:37 PM

    Really appreciated the information and please keep sharing, I would like to share some information regarding online training.Maxmunus Solutions is providing the best quality of this JBOSS Technology And this online training will be very convenient for the learner.And the training will be online and very convenient for the learner.

    For Joining online training batches please feel free to call or email us.
    Email : minati@maxmunus.com
    Contact No.-+91-9066638196/91-9738075708
    website:-http://www.maxmunus.com/page/JBoss-Administration-Training

    ReplyDelete
  6. Sergey10:42 PM

    If you are interested to learn more about the most sophisticated players in the outsourced product development industry, I'd highly recommend checking out this list of the best product development companies .

    ReplyDelete
  7. ed treatment tablets1:14 AM

    Hi i am kavin, its my first occasion to commenting anyplace, when i read this post i thought i could also create comment due to this brilliant paragraph.

    ReplyDelete
  8. Anonymous6:37 AM

    Thanks and I have a tremendous proposal: Can You Hire Someone To Renovate A House home restoration companies

    ReplyDelete

Subscribe to: Post Comments (Atom)