ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.
Difference between revisions of "Libewf"
|Line 58:||Line 58:|
Revision as of 16:36, 13 October 2010
|Maintainer:||Joachim Metz, David Loveall|
|OS:||Linux, FreeBSD, NetBSD, OpenBSD, Mac OS X, Windows|
The libewf package contains Linux based library and applications to read and write EnCase E0* and SMART s0* storage media bitstream copies.
Libewf is a rewrite of earlier work on the EnCase 4 file format by Michael Cohen part of PyFlag and the Expert Witness Compression Format Specification by Andrew Rosen. It has been updated to read and write EnCase version 1 to 6 E01 files and SMART s01 files (EWF files). Libewf has initiated an Extended EWF (EWF-X) specifications to bypass limitations on the format imposed by EnCase.
libewf has also read support for the EnCase L01 format.
The libewf package contains the following tools:
- ewfacquire and ewfacquire, which writes storage media data from a device handle EWF files.
- ewfexport, which exports storage media data in a set of E01 or s01 files to raw (dd) format or a specific version of EWF files.
- ewfinfo, which shows the metadata in EWF files.
- ewfverify, which verifies the storage media data in EWF files.
- mount_ewf.py, which allows the storage media data in a EWF files to be mounted.
Dennis Schreiber created a menu based interface for ewfacquirestream called pyEWF. However this seems currently not to be maintained.
Imaging a device on a Unix-based system:
Imaging a device on a Windows system:
Converting a split RAW into an EWF image
cat split.raw.??? | ewfacquirestream
Converting an EWF into another EWF format or a (split) RAW image
Exporting files from a logical image (L01)