Difference between revisions of "Libewf"
|Line 76:||Line 76:|
Revision as of 22:50, 16 October 2011
|Maintainer:||Joachim Metz, David Loveall|
|OS:||Linux, FreeBSD, NetBSD, OpenBSD, Mac OS X, Windows|
The libewf package contains a library and applications to read and write EnCase E0* and SMART s0* storage media bitstream copies. Recent versions also support the Logical Evidence (LEV) L0* files.
Libewf is a rewrite of earlier work on the EnCase 4 file format by Michael Cohen part of PyFlag and the Expert Witness Compression Format Specification by Andrew Rosen. It has been updated to read and write EnCase version 1 to 6 E01 files and SMART s01 files (EWF files). Libewf has initiated an Extended EWF (EWF-X) specifications to bypass limitations on the format imposed by EnCase.
libewf also has read support for the EnCase L01 format.
The libewf package contains the following tools:
- ewfacquire, which writes storage media data from devices and files to EWF files.
- ewfacquirestream, which writes data from stdin to EWF files.
- ewfexport, which exports storage media data in EWF files to (split) RAW format or a specific version of EWF files.
- ewfinfo, which shows the metadata in EWF files.
- ewfverify, which verifies the storage media data in EWF files.
The libewf package also contains the following bindings:
- ewf.net, bindings for .Net
- pyewf, bindings for Python contributed by David Collett in 2008
Provided as separate tools on the libewf project site:
- mount_ewf.py, which allows the storage media data in a EWF files to be mounted, contributed by David Loveall in 2007.
- libewf-java, Java (JNA) bindings were contributed by Bradley Schatz in 2009.
- delphi imdisk proxy, Borland Delphi imdisk proxy, as an alternative to mount_ewf.py for Windows, contributed by Brendan Berney in 2010.
- jlibewf, native Java EWF reader contributed by Bruce Allen in 2010.
A menu based interface for ewfacquirestream called pyEWF, contributed by Dennis Schreiber, was originally also available on the uitwisselplatform project site. However this is currently no longer maintained and was not moved to the sourceforge project size. The uitwisselplatform no longer exists. The name pyewf was reused for the libewf Python bindings created by David Collett which is now included in the libewf package.
Imaging a device on a Unix-based system:
Imaging a device on a Windows system:
Converting a split RAW into an EWF image
cat split.raw.??? | ewfacquirestream
Converting an optical disc (split) RAW into an EWF image (libewf 20110109 or later)
ewfacquire -T optical.cue optical.iso
Converting an EWF into another EWF format or a (split) RAW image
Exporting files from a logical image (L01)
FUSE mounting an EWF image (libewf 20110828 or later)
ewfmount image.E01 mount_point
FUSE mounting a logical image (L01) (libewf 20111016 or later)
ewfmount -f files image.L01 mount_point