Monday, February 09, 2009

Mount EWF (E01) on Linux

Note: also refer to http://stephenventer.blogspot.com/2009/05/mount-ewf-e01-on-linux.html

To mount and view the contents of a forensically acquired hard disc drive or partition image in an Expert Witness Format (EWF) file, i.e. EnCase (E01) format (including compressed and / or split files), on an Ubuntu Linux system, try the following:

Download the libewf packages
These packages were obtained from: https://www.uitwisselplatform.nl/projects/libewf/
The download location is: https://www.uitwisselplatform.nl/frs/?group_id=53&release_id=369

The current ones I used were:
libewf_20080501
libewf-devel_20080501
libewf-tools_20080501 and
mount_ewf-20080513.py

For ease of installation on an Ubuntu system, create Debian package files (.deb) from the Red Hat Package (.rpm) files

This can be done using the Alien package tools on Ubuntu: http://www.howtoforge.com/converting_rpm_to_deb_with_alien

Install the packages

There are various dependencies that are needed for these packages, but the package installer application (dpkg) should help you identify and install those.

The "Install instructions for mount_ewf" are here: https://www.uitwisselplatform.nl/docman/view.php/53/169/readme.txt
Note: the FusePython package in Debian is called "python-fuse", so to install it execute this instruction at a command line: sudo apt-get install python-fuse
Also, in the example below I used the originally downloaded Python script (mount_ewf-20080513.py), but the instructions referenced in the readme.txt above would allow you to use the version copied to the new file: /sbin/mount.ewf

Mount the E01 / EWF contents to the folder
Note: For this example I will created the folder /mnt/e01 and used it as the mount location to view the contents of the image split files (in this case the image was obtained in thirteen files: imaged-drive.E01 throuth imaged-drive.E13 - so the command executed makes a reference to these files using the wildcard character "*", i.e. "imaged-drive.E*").
steve@ubuntu:/media/source/img$ sudo mkdir /mnt/e01
steve@ubuntu:/media/source/img$ sudo /home/steve/software/ewf/mount_ewf-20080513.py imaged-drive.E* /mnt/e01
steve@ubuntu:/media/source/img$ sudo ls -l /mnt/e01
total 38993865
-r--r--r-- 1 root root 40020664320 1970-01-01 01:00 imaged-drive
-r--r--r-- 1 root root 339 1970-01-01 01:00 imaged-drive.txt

View the partition table structure of the newly mounted image file to identify the start sector location of the partition(s) you want to mount
Note: in the example below, the drive image file has only one partition ("imaged-drive1") which starts at sector number 63 - when this is multiplied by the number of bytes per sector of 512, gives you the byte offset value of the start of that partition as: 63*512=32256
steve@ubuntu:/media/source/img$ sudo fdisk -lu /mnt/e01/imaged-drive
You must set cylinders.
You can do this from the extra functions menu.

Disk /mnt/e01/imaged-drive: 0 MB, 0 bytes
240 heads, 63 sectors/track, 0 cylinders, total 0 sectors
Units = sectors of 1 * 512 = 512 bytes
Disk identifier: 0xd6b5d6b5

Device Boot Start End Blocks Id System
/mnt/e01/imaged-drive1 * 63 78155279 39077608+ 7 HPFS/NTFS
Partition 1 has different physical/logical endings:
phys=(1023, 239, 63) logical=(5168, 239, 63)


Associate the image file (per the EWF contents) with a loop device using losetup

Note: you should mount this in "read-only" mode (i.e. specify the switch "-r") and per the calculation above, the starting byte offset of this partition, within the drive image, is at: 63*512=32256; If you try this and get the response "Permission denied", check to see you specified "-r"; In this case no loop devices are used, so the first one available for use is "loop0"
steve@ubuntu:/media/source/img$ sudo losetup -o32256 -r /dev/loop0 /mnt/e01/imaged-drive

Mount this loop device to a directory
Note: remember to mount this as "read only", i.e. with option "ro"; The "loop" option will also be needed here to mount this as another loop device on the local system; The next available loop device will automatically be allocated - in this case it was "loop1"; First I created a new directory (/mnt/imaged-drive_c) to use as a mount point location for this step.
$ sudo mkdir /mnt/imaged-drive_c
$ sudo mount /dev/loop0 /mnt/imaged-drive_c/ -o loop,ro
$ df -h
..
/dev/loop1 38G 31G 7.1G 81% /mnt/imaged-drive_c
$ mount
..
/dev/loop1 on /mnt/imaged-drive_c type fuseblk (ro,nosuid,nodev,allow_other,blksize=4096)

The file system (NTFS in this case) is now viewable and available for things like anti virus scans, exploring, etc
$ ls -l /mnt/imaged-drive_c/
total 964001
-rwxrwxrwx 1 root root 0 2004-02-06 13:47 AUTOEXEC.BAT
-rwxrwxrwx 1 root root 176 2005-09-12 11:09 boot.ini
-rwxrwxrwx 1 root root 241 2004-09-30 17:10 BOOTLOG.TXT
...snip...


Note: These steps should work on other Linux distributions, e.g. Fedora, but I have not personally tested it on them yet.