Difference between pages "Libewf" and "Template:Incident response"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Tools)
 
 
Line 1: Line 1:
{{Infobox_Software |
+
[[Category:Incident Response]][[:Category:Incident Response|Incident Response]]
  name = libewf |
+
  maintainer = [[Joachim Metz]], [[David Loveall]] |
+
  os = [[Linux]], [[FreeBSD]], [[NetBSD]], [[OpenBSD]], [[Mac OS X]], [[Windows]] |
+
  genre = {{Disk imaging}} |
+
  license = {{LGPL}} |
+
  website = [http://libewf.sourceforge.net libewf.sourceforge.net] |
+
}}
+
 
+
The '''libewf''' package contains [[Linux]] based library and applications to read and write EnCase E0* and SMART s0* storage media bitstream copies.
+
 
+
It has been ported to other platforms like [[FreeBSD]], [[NetBSD]], [[OpenBSD]], [[Mac OS X]], and [[Windows]] as well.
+
 
+
== History ==
+
 
+
Libewf was created by [[Joachim Metz]] in 2006, while working for [http://en.hoffmannbv.nl/ Hoffmann Investigations].
+
 
+
Libewf is a rewrite of earlier work on the EnCase 4 file format by [[Michael Cohen]] part of [[PyFlag]] and the [http://www.asrdata.com/SMART/whitepaper.html Expert Witness Compression Format Specification] by [[Andrew Rosen]]. It has been updated to read and write EnCase version 1 to 6 E01 files and SMART s01 files (EWF files). Libewf has initiated an Extended EWF (EWF-X) specifications to bypass limitations on the format imposed by EnCase.
+
 
+
libewf also has read support for the EnCase L01 format.
+
 
+
In 2007 [[David Loveall]] contributed mount_ewf.py to the libewf project. This application allows a [[fuse]] based mount of the storage media data in the EWF files to be mounted.
+
 
+
== Tools ==
+
The '''libewf''' package contains the following tools:
+
* '''ewfacquire''', which writes storage media data from devices and files to EWF files.
+
* '''ewfacquirestream''', which writes data from stdin to EWF files.
+
* '''ewfexport''', which exports storage media data in EWF files to (split) RAW format or a specific version of EWF files.
+
* '''ewfinfo''', which shows the metadata in EWF files.
+
* '''ewfverify''', which verifies the storage media data in EWF files.
+
 
+
The '''libewf''' package also contains the following bindings:
+
* '''ewf.net''', bindings for .Net
+
* '''pyewf''', bindings for Python
+
 
+
Provided as separate tools on the libewf project site:
+
* '''mount_ewf.py''', which allows the storage media data in a EWF files to be mounted, contributed by [[David Loveall]] in 2007.
+
* '''libewf-java''', Java (JNA) bindings were contributed by [[Bradley Schatz]] in 2009.
+
* '''delphi imdisk proxy''', Borland Delphi imdisk proxy, as an alternative to mount_ewf.py for Windows, contributed by [[Brendan Berney]] in 2010.
+
* '''jlibewf''', native Java EWF reader contributed by [[Bruce Allen]] in 2010.
+
 
+
A menu based interface for ewfacquirestream called pyEWF, contributed by [[Dennis Schreiber]], was originally also available on the project site. However this is currently no longer maintained. Instead the name pyewf was reused for the libewf Python bindings created by [[David Collett]] which is now included in the libewf package.
+
 
+
== Examples ==
+
 
+
Imaging a device on a Unix-based system:
+
<pre>
+
ewfacquire /dev/sda
+
</pre>
+
 
+
Imaging a device on a Windows system:
+
<pre>
+
ewfacquire \\.\PhysicalDrive0
+
</pre>
+
 
+
Converting a split RAW into an EWF image
+
<pre>
+
ewfacquire split.raw.???
+
</pre>
+
 
+
or
+
 
+
<pre>
+
cat split.raw.??? | ewfacquirestream
+
</pre>
+
 
+
Converting an EWF into another EWF format or a (split) RAW image
+
<pre>
+
ewfexport image.E01
+
</pre>
+
 
+
Exporting files from a logical image (L01)
+
<pre>
+
ewfexport image.L01
+
</pre>
+
 
+
== External Links ==
+
 
+
* [http://libewf.sourceforge.net libewf project site]
+

Latest revision as of 14:25, 12 January 2014

Incident Response