Difference between pages "Libewf" and "Joachim Metz"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
{{Infobox_Software |
+
Talking about yourself in third person is always awkward, but here I go anyway ;-)
  name = libewf |
+
  maintainer = [[Joachim Metz]], [[David Loveall]] |
+
  os = [[Linux]], [[FreeBSD]], [[NetBSD]], [[OpenBSD]], [[Mac OS X]], [[Windows]] |
+
  genre = {{Disk imaging}} |
+
  license = {{LGPL}} |
+
  website = [http://libewf.sourceforge.net libewf.sourceforge.net] |
+
}}
+
  
The '''libewf''' package contains [[Linux]] based library and applications to read and write EnCase E0* and SMART s0* storage media bitstream copies.
+
Joachim Metz is a digital forensic investigator currently working at Hoffmann Investigations.
 +
Hoffmann Investigations mainly performs digital forensic investigations for corporations (private law).
  
It has been ported to other platforms like [[FreeBSD]], [[NetBSD]], [[OpenBSD]], [[Mac OS X]], and [[Windows]] as well.
+
My background is Information Communication Technology (ICT) in multiple disciplines like: system and network administration, programming, deployment, etc. and also Information Security (IS).
 +
I have been working in the field of digital forensics for several years now.
  
== History ==
+
(Philosophy warning!!!) In my opinion digital forensic investigators should be transparent in both their findings and methods.
 +
The statement "the tool provided me with the evidence" just does not cut it for me.
 +
I my experience have seen a lot of serious errors in 'digital forensic software' and corresponding human interpretation.
 +
Therefore I have put a lot of effort in providing alternatives and means to verify findings by breaking open file formats and improving file recovery methods.
  
Libewf was created by [[Joachim Metz]] in 2006, while working for [http://en.hoffmannbv.nl/ Hoffmann Investigations].
+
(Ancient history alert!!!) For me breaking open file formats dates back to Might and Magic 3 save games and recovering deleted and corrupted files under DOS using PCTOOLS.
  
Libewf is a rewrite of earlier work on the EnCase 4 file format by [[Michael Cohen]] part of [[PyFlag]] and the [http://www.asrdata.com/SMART/whitepaper.html Expert Witness Compression Format Specification] by [[Andrew Rosen]]. It has been updated to read and write EnCase version 1 to 6 E01 files and SMART s01 files (EWF files). Libewf has initiated an Extended EWF (EWF-X) specifications to bypass limitations on the format imposed by EnCase.
+
(Marketing alert!!!) Some recent results are the file format libraries like: [[libewf]], [[libmsiecf]], [[libnk2]], [[libpff]] and recently [[libesedb]]
 +
and the proof-of-concept carving tool called [[ReviveIt (revit)|revit]], that even seems to surprise me of it versatility (being able to support in [[recovering NTFS compressed files|http://sourceforge.net/projects/revit/files/Documentation/Carving%20NTFS-compressed%20data/Carving%20for%20NTFS%20compressed%20files.pdf/download]]).
  
Currently libewf partially supports the EnCase L01 format but this functionality has been disabled.
+
But that's the challenge I like about the field of digital forensics, there is a lot out there still to be discovered ;-)
  
In 2007 [[David Loveall]] contributed mount_ewf.py to the libewf project. This application allows a [[fuse]] based mount of the storage media data in the EWF files to be mounted.
+
[[Category:People]]
 
+
== Tools ==
+
The '''libewf''' package contains the following tools:
+
* '''ewfacquire''' and '''ewfacquire''', which writes storage media data from a device handle EWF files.
+
* '''ewfexport''', which exports storage media data in a set of E01 or s01 files to raw (dd) format or a specific version of EWF files.
+
* '''ewfinfo''', which shows the metadata in EWF files.
+
* '''ewfverify''', which verifies the storage media data in EWF files.
+
* '''mount_ewf.py''', which allows the storage media data in a EWF files to be mounted.
+
 
+
[[Dennis Schreiber]] created a menu based interface for ewfacquirestream called pyEWF. However this seems currently not to be maintained.
+
 
+
== Examples ==
+
 
+
Imaging a device on a Unix-based system:
+
<pre>
+
ewfacquire /dev/sda
+
</pre>
+
 
+
Imaging a device on a Windows system:
+
<pre>
+
ewfacquire \\.\PhysicalDrive0
+
</pre>
+
 
+
Converting a split RAW into an EWF image
+
<pre>
+
ewfacquire split.raw.???
+
</pre>
+
 
+
or
+
 
+
<pre>
+
cat split.raw.??? | ewfacquirestream
+
</pre>
+
 
+
Converting an EWF into another EWF format or a (split) RAW image
+
<pre>
+
ewfexport image.E01
+
</pre>
+
 
+
== External Links ==
+
 
+
* [http://libewf.sourceforge.net libewf project site]
+
* [https://www.uitwisselplatform.nl/projects/libewf/ old libewf project site]
+

Revision as of 15:04, 16 January 2010

Talking about yourself in third person is always awkward, but here I go anyway ;-)

Joachim Metz is a digital forensic investigator currently working at Hoffmann Investigations. Hoffmann Investigations mainly performs digital forensic investigations for corporations (private law).

My background is Information Communication Technology (ICT) in multiple disciplines like: system and network administration, programming, deployment, etc. and also Information Security (IS). I have been working in the field of digital forensics for several years now.

(Philosophy warning!!!) In my opinion digital forensic investigators should be transparent in both their findings and methods. The statement "the tool provided me with the evidence" just does not cut it for me. I my experience have seen a lot of serious errors in 'digital forensic software' and corresponding human interpretation. Therefore I have put a lot of effort in providing alternatives and means to verify findings by breaking open file formats and improving file recovery methods.

(Ancient history alert!!!) For me breaking open file formats dates back to Might and Magic 3 save games and recovering deleted and corrupted files under DOS using PCTOOLS.

(Marketing alert!!!) Some recent results are the file format libraries like: libewf, libmsiecf, libnk2, libpff and recently libesedb and the proof-of-concept carving tool called revit, that even seems to surprise me of it versatility (being able to support in http://sourceforge.net/projects/revit/files/Documentation/Carving%20NTFS-compressed%20data/Carving%20for%20NTFS%20compressed%20files.pdf/download).

But that's the challenge I like about the field of digital forensics, there is a lot out there still to be discovered ;-)