Stephen Venter

Some techie notes I want to remember... and share.

Monday, February 09, 2009
Mount EWF (E01) on Linux
Note: also refer to http://stephenventer.blogspot.com/2009/05/mount-ewf-e01-on-l
inux.html
To mount and view the contents of a forensically acquired hard disc drive or par
tition image in an Expert Witness Format (EWF) file, i.e. EnCase (E01) format (i
ncluding compressed and / or split files), on an Ubuntu Linux system, try the fo
llowing:
Download the libewf packages
These packages were obtained from: https://www.uitwisselplatform.nl/projects/lib
ewf/
The download location is: https://www.uitwisselplatform.nl/frs/?group_id=53&rele
ase_id=369
The current ones I used were:
libewf_20080501
libewf-devel_20080501
libewf-tools_20080501 and
mount_ewf-20080513.py
For ease of installation on an Ubuntu system, create Debian package files (.deb)
from the Red Hat Package (.rpm) files
This can be done using the Alien package tools on Ubuntu: http://www.howtoforge.
com/converting_rpm_to_deb_with_alien
Install the packages
There are various dependencies that are needed for these packages, but the packa
ge installer application (dpkg) should help you identify and install those.
The "Install instructions for mount_ewf" are here: https://www.uitwisselplatform
.nl/docman/view.php/53/169/readme.txt
Note: the FusePython package in Debian is called "python-fuse", so to install it
execute this instruction at a command line: sudo apt-get install python-fuse
Also, in the example below I used the originally downloaded Python script (mount
_ewf-20080513.py), but the instructions referenced in the readme.txt above would
allow you to use the version copied to the new file: /sbin/mount.ewf
Mount the E01 / EWF contents to the folder
Note: For this example I will created the folder /mnt/e01 and used it as the mou
nt location to view the contents of the image split files (in this case the imag
e was obtained in thirteen files: imaged-drive.E01 throuth imaged-drive.E13 - so
the command executed makes a reference to these files using the wildcard charac
ter "*", i.e. "imaged-drive.E*").
steve@ubuntu:/media/source/img$ sudo mkdir /mnt/e01
steve@ubuntu:/media/source/img$ sudo /home/steve/software/ewf/mount_ewf-20080513
.py imaged-drive.E* /mnt/e01
steve@ubuntu:/media/source/img$ sudo ls -l /mnt/e01
total 38993865
-r--r--r-- 1 root root 40020664320 1970-01-01 01:00 imaged-drive
-r--r--r-- 1 root root 339 1970-01-01 01:00 imaged-drive.txt
View the partition table structure of the newly mounted image file to identify t
he start sector location of the partition(s) you want to mount
Note: in the example below, the drive image file has only one partition ("imaged
-drive1") which starts at sector number 63 - when this is multiplied by the numb
er of bytes per sector of 512, gives you the byte offset value of the start of t
hat partition as: 63*512=32256
steve@ubuntu:/media/source/img$ sudo fdisk -lu /mnt/e01/imaged-drive
You must set cylinders.
You can do this from the extra functions menu.
Disk /mnt/e01/imaged-drive: 0 MB, 0 bytes
240 heads, 63 sectors/track, 0 cylinders, total 0 sectors
Units = sectors of 1 * 512 = 512 bytes
Disk identifier: 0xd6b5d6b5
Device Boot Start End Blocks Id System
/mnt/e01/imaged-drive1 * 63 78155279 39077608+ 7 HPFS/NTFS
Partition 1 has different physical/logical endings:
phys=(1023, 239, 63) logical=(5168, 239, 63)

Associate the image file (per the EWF contents) with a loop device using losetup
Note: you should mount this in "read-only" mode (i.e. specify the switch "-r") a
nd per the calculation above, the starting byte offset of this partition, within
the drive image, is at: 63*512=32256; If you try this and get the response "Per
mission denied", check to see you specified "-r"; In this case no loop devices a
re used, so the first one available for use is "loop0"
steve@ubuntu:/media/source/img$ sudo losetup -o32256 -r /dev/loop0 /mnt/e01/imag
ed-drive

Mount this loop device to a directory

Note: remember to mount this as "read only", i.e. with option "ro"; The "loop" o
ption will also be needed here to mount this as another loop device on the local
system; The next available loop device will automatically be allocated - in thi
s case it was "loop1"; First I created a new directory (/mnt/imaged-drive_c) to
use as a mount point location for this step.
$ sudo mkdir /mnt/imaged-drive_c
$ sudo mount /dev/loop0 /mnt/imaged-drive_c/ -o loop,ro
$ df -h
..
/dev/loop1 38G 31G 7.1G 81% /mnt/imaged-drive_c
$ mount
..
/dev/loop1 on /mnt/imaged-drive_c type fuseblk (ro,nosuid,nodev,allow_other,blks
ize=4096)
The file system (NTFS in this case) is now viewable and available for things lik
e anti virus scans, exploring, etc
$ ls -l /mnt/imaged-drive_c/
total 964001
-rwxrwxrwx 1 root root 0 2004-02-06 13:47 AUTOEXEC.BAT
-rwxrwxrwx 1 root root 176 2005-09-12 11:09 boot.ini
-rwxrwxrwx 1 root root 241 2004-09-30 17:10 BOOTLOG.TXT
...snip...
Note: These steps should work on other Linux distributions, e.g. Fedora, but I h
ave not personally tested it on them yet.
Posted by Stephen Venter at 6:56 AM
Labels: EnCase, ewf, expert witness format, libewf, mount
2 comments:
Anonymous said...
Thanks!!! btw libewf is standard on Helix, but requires the python-fuse package
to perform the above.
2:40 PM
Dave said...
Hi. Happened to notice your post when looking for something else. Quick tip for
usage. If you download and install disktype (http://disktype.sourceforge.net/) w
ith the patch for libewf support (http://superb-east.dl.sourceforge.net/sourcefo
rge/libewf/disktype-libewf.patch) you can add a "-o disktype" argument to your m
ount_ewf command line and it will figure out the partitions automatically. From
there you can use a command line like "mount -o ro,loop /mnt/e01/imaged-drivep1
/mnt/imaged-drive_c/". Let the computer do the math for you. :)
5:12 PM
Post a Comment

Links to this post

Forensic Post JuMblE Linkfest
Really no rhyme or reason to this mad-hatter collection of forensics links. Stuf
f I've picked up over the past month mostly for reference purposes. Probably not
hing here for most folks but maybe you will find something of interest. ...
Posted by Claus at 6:56 PM
Create a Link
Newer Post Older Post Home
Subscribe to: Post Comments (Atom) About Me
Stephen Venter
View my complete profile
Followers
Blog Archive
? 2009 (2)
? May (1)
Mount EWF (E01) on Linux
? February (1)
Mount EWF (E01) on Linux
? 2008 (1)
? December (1)
Getting WPA-PSK working on PS3 - YellowDog 6.1
? 2007 (1)
? March (1)
Using [Alt]-[Prnt Scrn]
? 2006 (3)
? July (3)
Public DNS & Network record queries
OpenSSL cipher strength
Using OpenSSL
Links
Edit-Me
Edit-Me
Mounting EWF s on windows with freely available tools
Harlan recently posted a small reference to mounting EWF s on windows machines usi
ng freely available utilities. David Loveall has produced a script called proxy_
ewf.py which will do the heavy lifting of mounting EWF s via imdisk.
It is not straightforward to get working so I have copied the instructions origi
nally provided by David Loveall and further expanded on them below.
1. Extract the Windows mount_ewf files into a directory. I used the current mou
nt_ewf_windows-20091123.zip file found in the downloads area of libewf. Download
from the same place the proxy_ewf.py file and place it in the same directory (I
used c:\opt\proxy_ewf\).
2. Download and install the Visual Studio runtime files, if you don t already have
them. Don t bother as they are now included in the mount_ewf windows distribution
.
3. Download and install ImDisk. Be careful about driver loading if you are on Vi
sta and above.
4: Install python for windows. I used python 2.5 (x86) but 2.6 should work as we
ll.
5. If you are on an x64 system, move imdisk.exe from the c:\Windows\system32 dir
ectory into the same directory as the mount_ewf and proxy_ewf.py files. The prox
y_ewf script wont be able to run imdisk.exe due to the WOW64 file virtualisation
features otherwise.
6. Run proxy_ewf:
c:\python25\python c:\opt\proxy_ewf\proxy_ewf-20091123.py c:\evidence\foo.e0
1
If you get a "Version number mismatch" error, it is likely that the _ctypes.pyd
file in the mount_ewf distribution is incompatible with the one in your just ins
talled python distribution. I deleted the one in the mount_ewf directory and thi
ngs worked fine.
At this point, you should see a new drive letter (or letters) appear in windows
explorer.
No related posts.
Related posts brought to you by Yet Another Related Posts Plugin.
This entry was posted on Friday, December 18th, 2009 at 1:16 pm and is filed und
er Uncategorized. You can follow any responses to this entry through the RSS 2.0
feed. You can leave a response, or trackback from your own site.