Libewf

From Forensics Wiki
Revision as of 05:57, 31 January 2009 by Joachim Metz (Talk | contribs)

Jump to: navigation, search
ewftools
Maintainer: Joachim Metz, David Loveall
OS: Linux
Genre: File type support
License: LGPL
Website: libewf.sourceforge.net

The ewftools are a Linux based programs to read and write EnCase E01 and SMART s01 bitstream copies of storage media. It has been ported to other platforms like *BSD, MacOS-X and Windows as well.

History

The ewftools were developed by Joachim Metz while working for Hoffmann Investigations.

The ewftools are part of libewf package which was created in 2006. Libewf is a rewrite of earlier work on the EnCase 4 file format by Michael Cohen part of PyFlag and the Expert Witness Compression Format Specification by [Andrew Rosen]. It has been updated to read and write EnCase 1 to 6 E01 files and SMART s01 files. Libewf has initiated an Extended EWF (EWF-X) specifications to bypass limitations on the format imposed by EnCase.

Currently libewf partially supports the EnCase L01 format but this functionality has been disabled.

Tools

The ewftools consists of:

  • ewfacquire and ewfacquire , which writes storage media data from a device handle to a set of E01 or s01 files.
  • ewfexport, which exports storage media data in a set of E01 or s01 files to raw (dd) format or a specific version of E01 or s01 files.
  • ewfinfo, which shows the metadata in a set of E01 or s01 files.
  • ewfverify, which verifies the storage media data in a set of E01 or s01 files.
  • mount_ewf.py, which allows the storage media data in a set of E01 or s01 files to be mounted.

External Links