Difference between pages "Email analysis" and "Libewf"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(New page: == Metadata Extraction == * [http://alioth.debian.org/docman/view.php/30390/47/readpst.1.html READPST] converts pst files to mbox format * Philip Guo has written python scripts to "extra...)
 
(Tools)
 
Line 1: Line 1:
== Metadata Extraction ==
+
{{Infobox_Software |
 +
  name = libewf |
 +
  maintainer = [[Joachim Metz]], [[David Loveall]] |
 +
  os = [[Linux]], [[FreeBSD]], [[NetBSD]], [[OpenBSD]], [[Mac OS X]], [[Windows]] |
 +
  genre = {{Disk imaging}} |
 +
  license = {{LGPL}} |
 +
  website = [http://libewf.sourceforge.net libewf.sourceforge.net] |
 +
}}
  
* [http://alioth.debian.org/docman/view.php/30390/47/readpst.1.html READPST] converts pst files to mbox format
+
The '''libewf''' package contains [[Linux]] based library and applications to read and write EnCase E0* and SMART s0* storage media bitstream copies.
* Philip Guo has written python scripts to "extract and organize email header information (e.g., senders, recipients, subjects, dates, etc.) from mbox files". his tools are available on his webpage [http://www.stanford.edu/~pgbovine/mbox-analysis.htm here]
+
  
== Tools ==
+
It has been ported to other platforms like [[FreeBSD]], [[NetBSD]], [[OpenBSD]], [[Mac OS X]], and [[Windows]] as well.
  
* [http://sneakers.cs.columbia.edu/ids/emt/ Columbia Email Mining Toolkit]
+
== History ==
 +
 
 +
Libewf was created by [[Joachim Metz]] in 2006, while working for [http://en.hoffmannbv.nl/ Hoffmann Investigations].
 +
 
 +
Libewf is a rewrite of earlier work on the EnCase 4 file format by [[Michael Cohen]] part of [[PyFlag]] and the [http://www.asrdata.com/SMART/whitepaper.html Expert Witness Compression Format Specification] by [[Andrew Rosen]]. It has been updated to read and write EnCase version 1 to 6 E01 files and SMART s01 files (EWF files). Libewf has initiated an Extended EWF (EWF-X) specifications to bypass limitations on the format imposed by EnCase.
 +
 
 +
libewf also has read support for the EnCase L01 format.
 +
 
 +
In 2007 [[David Loveall]] contributed mount_ewf.py to the libewf project. This application allows a [[fuse]] based mount of the storage media data in the EWF files to be mounted.
 +
 
 +
== Tools ==
 +
The '''libewf''' package contains the following tools:
 +
* '''ewfacquire''', which writes storage media data from devices and files to EWF files.
 +
* '''ewfacquirestream''', which writes data from stdin to EWF files.
 +
* '''ewfexport''', which exports storage media data in EWF files to (split) RAW format or a specific version of EWF files.
 +
* '''ewfinfo''', which shows the metadata in EWF files.
 +
* '''ewfverify''', which verifies the storage media data in EWF files.
 +
 
 +
The '''libewf''' package also contains the following bindings:
 +
* '''ewf.net''', bindings for .Net
 +
* '''pyewf''', bindings for Python
 +
 
 +
Provided as separate tools on the libewf project site:
 +
* '''mount_ewf.py''', which allows the storage media data in a EWF files to be mounted, contributed by [[David Loveall]] in 2007.
 +
* '''libewf-java''', Java (JNA) bindings were contributed by [[Bradley Schatz]] in 2009.
 +
* '''delphi imdisk proxy''', Borland Delphi imdisk proxy, as an alternative to mount_ewf.py for Windows, contributed by [[Brendan Berney]] in 2010.
 +
* '''jlibewf''', native Java EWF reader contributed by [[Bruce Allen]] in 2010.
 +
 
 +
A menu based interface for ewfacquirestream called pyEWF, contributed by [[Dennis Schreiber]], was originally also available on the project site. However this is currently no longer maintained. Instead the name pyewf was reused for the libewf Python bindings created by [[David Collett]] which is now included in the libewf package.
 +
 
 +
== Examples ==
 +
 
 +
Imaging a device on a Unix-based system:
 +
<pre>
 +
ewfacquire /dev/sda
 +
</pre>
 +
 
 +
Imaging a device on a Windows system:
 +
<pre>
 +
ewfacquire \\.\PhysicalDrive0
 +
</pre>
 +
 
 +
Converting a split RAW into an EWF image
 +
<pre>
 +
ewfacquire split.raw.???
 +
</pre>
 +
 
 +
or
 +
 
 +
<pre>
 +
cat split.raw.??? | ewfacquirestream
 +
</pre>
 +
 
 +
Converting an EWF into another EWF format or a (split) RAW image
 +
<pre>
 +
ewfexport image.E01
 +
</pre>
 +
 
 +
Exporting files from a logical image (L01)
 +
<pre>
 +
ewfexport image.L01
 +
</pre>
 +
 
 +
== External Links ==
 +
 
 +
* [http://libewf.sourceforge.net libewf project site]

Revision as of 08:01, 11 December 2010

libewf
Maintainer: Joachim Metz, David Loveall
OS: Linux, FreeBSD, NetBSD, OpenBSD, Mac OS X, Windows
Genre: Disk imaging
License: LGPL
Website: libewf.sourceforge.net

The libewf package contains Linux based library and applications to read and write EnCase E0* and SMART s0* storage media bitstream copies.

It has been ported to other platforms like FreeBSD, NetBSD, OpenBSD, Mac OS X, and Windows as well.

History

Libewf was created by Joachim Metz in 2006, while working for Hoffmann Investigations.

Libewf is a rewrite of earlier work on the EnCase 4 file format by Michael Cohen part of PyFlag and the Expert Witness Compression Format Specification by Andrew Rosen. It has been updated to read and write EnCase version 1 to 6 E01 files and SMART s01 files (EWF files). Libewf has initiated an Extended EWF (EWF-X) specifications to bypass limitations on the format imposed by EnCase.

libewf also has read support for the EnCase L01 format.

In 2007 David Loveall contributed mount_ewf.py to the libewf project. This application allows a fuse based mount of the storage media data in the EWF files to be mounted.

Tools

The libewf package contains the following tools:

  • ewfacquire, which writes storage media data from devices and files to EWF files.
  • ewfacquirestream, which writes data from stdin to EWF files.
  • ewfexport, which exports storage media data in EWF files to (split) RAW format or a specific version of EWF files.
  • ewfinfo, which shows the metadata in EWF files.
  • ewfverify, which verifies the storage media data in EWF files.

The libewf package also contains the following bindings:

  • ewf.net, bindings for .Net
  • pyewf, bindings for Python

Provided as separate tools on the libewf project site:

  • mount_ewf.py, which allows the storage media data in a EWF files to be mounted, contributed by David Loveall in 2007.
  • libewf-java, Java (JNA) bindings were contributed by Bradley Schatz in 2009.
  • delphi imdisk proxy, Borland Delphi imdisk proxy, as an alternative to mount_ewf.py for Windows, contributed by Brendan Berney in 2010.
  • jlibewf, native Java EWF reader contributed by Bruce Allen in 2010.

A menu based interface for ewfacquirestream called pyEWF, contributed by Dennis Schreiber, was originally also available on the project site. However this is currently no longer maintained. Instead the name pyewf was reused for the libewf Python bindings created by David Collett which is now included in the libewf package.

Examples

Imaging a device on a Unix-based system:

ewfacquire /dev/sda

Imaging a device on a Windows system:

ewfacquire \\.\PhysicalDrive0

Converting a split RAW into an EWF image

ewfacquire split.raw.???

or

cat split.raw.??? | ewfacquirestream

Converting an EWF into another EWF format or a (split) RAW image

ewfexport image.E01

Exporting files from a logical image (L01)

ewfexport image.L01

External Links