Some quick notes on mounting EWF images in Linux. The Expert Witness format (EWF) is commonly used by Encase and other forensic tools. This format divides the physical bit stream data of the disk into data chunks interlaced with CRCs for each chunk. The first chunk of data is created with file extension 'E01', with subsequent chunks in running sequential order (e.g. 'E02', 'E03', etc.).
The following commands were tested on Ubuntu 20.04 LTS system with ewf-tools package installed.
Print EWF image information
# ewfinfo image.e01
Mount EWF container and check disk layout
# ewfmount image.E01 /mnt/e01/ # fdisk -l /mnt/e01/ewf1
Note the sector size as well as the starting sector of the partition to be mounted. In the example image above, the 78GB Linux partition is at an offset of 2048*512 = 1,048,576 bytes.
Attach disk image file to loop device (Optional)
# losetup --show -f /mnt/e01/ewf1
Mount image disk partition
# mount -o ro,loop,offset=<offset> <loop-device/disk-image> <mount-point>
In our example, the command we will use is:
# mount -o ro,loop,offset=1048576 /dev/loop0 /mnt/partition1
Or:
# mount -o ro,loop,offset=1048576 /mnt/e01/ewf1 /mnt/partition1
Occasionally one may get an error saying "cannot mount block device /dev/loop read-only" as the filesystem has a dirty log that needs to be replayed but the read-only option prevents that. In this situation, add the 'norecovery' option to overcome the error.
Note also that one can add the '-t' option to specify the filesystem type if required. In my experience, I've found Linux to be fairly adept at auto detecting and mounting NTFS, exFAT, ext2/3/4 filesystems correctly even without the '-t' option. Other options include 'noexec' to prevent accidental execution of malicious binaries in the image file.
Unmount partitions and devices
# umount <mount-point> # losetup -D # umount /mnt/e01
No comments:
Post a Comment