Difference between pages "Category:Disk imaging" and "Libewf"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Unix-based imagers)
 
(External Links)
 
Line 1: Line 1:
<div style="margin-top:0.5em; border:2px solid #ff0000; padding:0.5em 0.5em 0.5em 0.5em; background-color:#dddddd; align:center;">
+
{{Infobox_Software |
'''Note:''' We're trying to use the same [[tool template]] for all devices. Please use this if possible.
+
  name = libewf |
</div>
+
  maintainer = [[Joachim Metz]], [[David Loveall]] |
 +
  os = [[Linux]], [[FreeBSD]], [[NetBSD]], [[OpenBSD]], [[Mac OS X]], [[Windows]] |
 +
  genre = {{Disk imaging}} |
 +
  license = {{LGPL}} |
 +
  website = [http://code.google.com/p/libewf/ code.google.com/p/libewf/] |
 +
}}
  
'''TODO: Not all of the following are tools, most are simply company names. The tools should have their own articles...'''
+
'''Libewf''' is a library to access the [[Encase image file format|Expert Witness Compression Format (EWF)]].
  
= Hardware imagers =
+
== Features ==  
; [[DFL-DE Data Recovery Tool]]
+
Read or write supported EWF formats:
: Including three main modules: disk imaging modules, file recovery modules and automatic hdd repair modules, fixing both detected and undetected hard drives. http://www.datarecoverytools4u.com/product/data-extractor-dfl-de/.
+
* [[SMART]] .s01 (EWF-S01)
;[[Data Compass]]
+
* [[EnCase]] .E01 (EWF-E01) and .Ex01 (EWF2-Ex01)
:A hardware and software tool by [[SalvationDATA]] that can image data from bad sectors, unstable heads and other drives.
+
; [[DeepSpar Disk Imager]]
+
: Handles Data Recovery Imaging issues, drive instability, and bad sectors. http://www.deepspar.com/products-ds-disk-imager.html  - Data Sheet and Whitepaper available for download from product web page.
+
; [[ICS Solo3]]
+
: Supports USB, Firewire and SCSI drives. http://www.icsforensic.com/
+
; [[Logicube Talon]]
+
: Supports USB
+
; [[PSIClone]]
+
: Built-in PATA, SATA, USB and write blocker. http://www.thepsiclone.com/
+
: Enhanced Error Handling and Logging
+
; [[Voom HardCopy III]]
+
: Allows destination drive to be formatted in NTFS.
+
  
= Unix-based imagers=
+
Read-only supported EWF formats:
 +
* Logical Evidence File (LEF) .L01 (EWF-L01) and .Lx01 (EWF2-Lx01)
  
; '''ewfacquire''', '''ewfacquirestream'''
+
Other features:
: The tools '''ewfacquire''' and '''ewfacquiresteam''' are part of the [[libewf]] library package. They can create evidence files in the [[EnCase]] and [[FTK Imager]] .E0* (EWF-E01) and [[SMART]] .s0* (EWF-S01) formats. '''ewfacquire''' is intended to read from devices and '''ewfacquirestream''' from pipes. Both tools calculate an [[MD5]] hash on default while the data is being acquired. They are able to calculate a [[SHA1]] message digest as well, but because of compatibility with [[EnCase]] they only store the [[SHA1]] hash in the Extended EWF (EWF-X) format. '''ewfacquire''' and '''ewfacquirestream''' provide support for byte swapping of media bytes. This is useful for dealing with big endian media on and little endian architectures and vice versa. It also has intelligent error recovery.
+
* empty-block compression
: [[libewf]]
+
* read/write access using delta (or shadow) files
 +
* write resume
  
; [[Adepto]]
+
== Tools ==
: http://www.e-fense.com/helix/
+
The '''libewf''' package contains the following tools:
 +
* '''ewfacquire''', which writes storage media data from devices and files to EWF files.
 +
* '''ewfacquirestream''', which writes data from stdin to EWF files.
 +
* '''ewfdebug'''; experimental tool does nothing at the moment.
 +
* '''ewfexport''', which exports storage media data in EWF files to (split) RAW format or a specific version of EWF files.
 +
* '''ewfinfo''', which shows the metadata in EWF files.
 +
* '''ewfmount''', which FUSE mounts EWF files.
 +
* '''ewfrecover'''; special variant of ewfexport to create a new set of EWF files from a corrupt set.
 +
* '''ewfverify''', which verifies the storage media data in EWF files.
  
; [[aimage]]
+
The '''libewf''' package also contains the following bindings:
: Part of the [[AFF]] system, [[aimage]] can create files is raw, AFF, AFD, or AFM formats. AFF and AFD formats can be compressed or uncompressed. [[aimage]] can optionally compress and calculate [[MD5]] or [[SHA-1]] hash residues while the data is being copied. It has intelligent error recovery, similar to what is in [[ddrescue]].
+
* '''ewf.net''', bindings for .Net
 +
* '''pyewf''', bindings for Python contributed by [[David Collett]] in 2008
  
; [[AIR]]
+
=== Contributions ===
: AIR (Automated Image and Restore) is a GUI front-end to dd/dcfldd designed for easily creating forensic bit images.
+
Tools that have been contributed to the project are provided as separate tools on the sourceforge libewf project site. These are:
: http://air-imager.sourceforge.net/
+
* '''mount_ewf.py''', which allows the storage media data in a EWF files to be mounted, contributed by [[David Loveall]] in 2007.
 +
* '''libewf-java''', Java (JNA) bindings were contributed by [[Bradley Schatz]] in 2009.
 +
* '''delphi imdisk proxy''', Borland Delphi imdisk proxy, as an alternative to mount_ewf.py for Windows, contributed by [[Brendan Berney]] in 2010.
 +
* '''jlibewf''', native Java EWF reader contributed by [[Bruce Allen]] in 2010.
 +
* '''libewfcs''', native C# EWF reader contributed by [[Bruce Allen]] in 2011.
  
; [[dcfldd]]
+
A menu based interface for ewfacquirestream called pyEWF, contributed by [[Dennis Schreiber]], was originally also available on the uitwisselplatform project site. However this is currently no longer maintained and was not moved to the sourceforge project size. The uitwisselplatform no longer exists. The name pyewf was reused for the libewf Python bindings created by [[David Collett]] which is now included in the libewf package.
: A version of [[dd]] created by the [[Digital Computer Forensics Laboratory]]. [[dcfldd]] is an enhanced version of [[GNU]] dd with features useful for forensics and security, such as calculating [[MD5]] or [[SHA-1]] [[hash]]es on the fly and faster disk wiping.
+
  
; [[dd]]
+
=== Examples ===
: A program that converts and copies files, is one of the oldest [[Unix]] programs. I can copy data from any Unix "file" (including a [[raw partition]]) to any other Unix "file" (including a disk file or a raw partition). This is one of the oldest of the imaging tools, and produces [[raw image files]]. Extended into [[dcfldd]].
+
  
; EnCase [[LinEn]]
+
Imaging a device on a Unix-based system:
: Linux-based version of EnCase's forensic imaging tool.
+
<pre>
 +
ewfacquire /dev/sda
 +
</pre>
  
; GNU [[ddrescue]]
+
Imaging a device on a Windows system:
: http://www.gnu.org/software/ddrescue/ddrescue.html
+
<pre>
 +
ewfacquire \\.\PhysicalDrive0
 +
</pre>
  
; [[dd_rescue]]
+
Converting a RAW into an EWF image
: http://www.garloff.de/kurt/linux/ddrescue/
+
<pre>
: A tool similar to [[dd]], but unlike dd it will continue reading the next sector, if it stumbles over bad sectors it cannot read.
+
ewfacquire myfile.raw
 +
</pre>
  
; iLook [[IXimager]]
+
or:
: The primary imaging tool for [[iLook]]. It is [[Linux]] based and produces compressed authenticatable [[image file]]s that may only be read in the iLook analysis tool.
+
<pre>
 +
ewfacquire -c best -m fixed -t myfile -S 1T -u [-q] myfile.raw
 +
</pre>
  
; [[MacQuisition Boot CD]]
+
or
: Provides software to safely image [[Macintosh]] drives.
+
  
; [[rdd]]
+
<pre>
: http://sourceforge.net/projects/rdd
+
cat split.raw.??? | ewfacquirestream
: Rdd is robust with respect to read errors and incorporates several other functions: MD5 and SHA-1 hashing, block hashing, entropy computation, checksumming, network transfer, and output splitting.
+
cat myfile.??? | ewfacquirestream  -c best -m fixed -t myfile -S 1T
  
; [[sdd]]
+
</pre>
: Another [[dd]]-like tool. It is supposed to be faster in certain situations.
+
  
= Windows-based imagers =
+
Converting an optical disc (split) RAW into an EWF image (libewf 20110109 or later)
 +
<pre>
 +
ewfacquire -T optical.cue optical.iso
 +
</pre>
  
; [[AccessData]]
+
Converting an EWF into another EWF format or a (split) RAW image
: Their ultimate tool lets you "READ, ACQUIRE, DECRYPT, ANALYZE and REPORT (R.A.D.A.R.)."
+
<pre>
 +
ewfexport image.E01
 +
</pre>
  
; [[ASR]]
+
Exporting files from a logical image (L01)
: A tool for [[imaging]] and analyzing disks.
+
<pre>
 +
ewfexport image.L01
 +
</pre>
  
; [[DIBS]]
+
FUSE mounting an EWF image (libewf 20110828 or later)
: Can image and convert many file formats. Also builds mobile toolkit.
+
<pre>
 +
ewfmount image.E01 mount_point
 +
</pre>
  
; [[EnCase]]
+
FUSE mounting a logical image (L01) (libewf 20111016 or later)
: Can image with out dongle plugged in. Only images to E0* file.
+
<pre>
 +
ewfmount -f files image.L01 mount_point
 +
</pre>
  
; [[FTK Imager]] by [[AccessData]]
+
Verify an single image with results to the screen
: Can image and convert many image formats. Including [[E0*]] (EWF-E01), s0* (EWF-S01) and [[dd]]. Also a free tool.
+
<pre>
 +
ewfverify image.E01
 +
</pre>
  
; [[Ghost]]
+
From a linux shell, verify a group of images in subdirectories of the current directory creating a simple log file per image.
: FTK can read forensic, uncompressed [[Ghost image]]s.
+
<pre>
 +
find . -name \*.E01 -printf '%f %p\n' | xargs printf "ewfverify -l \$(basename -s .E01 %s).ewfverify.out  %s\n" | sh
 +
</pre>
  
; [[iLook]]
+
or
: The [[IRS]]'s set of forensic tools and utilities.  iLook V8 can image in Windows.
+
  
; [[Paraben]]
+
<pre>
: A complete set of tools for [[Windows]] (and [[handheld]]) products.
+
find . -name '*.E01' | while read F
 +
do
 +
  echo ewfverify -l "$(basename -s .E01 $F).ewfverify.out" "$F"
 +
done
 +
</pre>
  
; [[ProDiscovery]]
+
== History ==
: Images and searches [[FAT12]], [[FAT16]], [[FAT32]] and all [[NTFS]] files.
+
  
; [[X-Ways Forensics]]  
+
Libewf was created by [[Joachim Metz]] in 2006, while working for [http://en.hoffmannbv.nl/ Hoffmann Investigations].
: Has some limited imaging capabilities. The output is [[raw format]].
+
  
; [[X-Ways Replica]]
+
Libewf is a rewrite of earlier work on the EnCase 4 file format by [[Michael Cohen]] part of [[PyFlag]] and the [[:File:ASR Data's Expert Witness Compression Format.pdf|Expert Witness Compression Format]] Specification by [[Andrew Rosen]]. It has been updated to read and write EnCase version 1 to 7 .E01 files, EnCase 5 to 7 .L01 files, EnCase 7 .Ex01 and .Lx01 files and SMART .s01 files. Libewf has initiated an Extended EWF (EWF-X) specifications to bypass limitations on the format imposed by the EnCase .E01 format.
: Performs [[hard disk]] [[cloning]] and imaging. The output is [[raw format]].
+
  
 +
In 2007 [[David Loveall]] contributed mount_ewf.py to the libewf project. This application allows a [[fuse]] based mount of the storage media data in the EWF files to be mounted. Due to repeated issues with Python and the fuse Python-bindings on [[Mac OS X]] part of the functionality of these scripts has been rewritten into '''ewfmount'''.
  
[[Category:Tools]]
+
As of version 20120715 support for EWF version 2 (.Ex01 and .Lx01) was added.
  
[[Category:Tools]]
+
== External Links ==
 +
 
 +
* [https://code.google.com/p/libewf/ Project site]
 +
* [https://code.google.com/p/libewf/wiki/Building Building libewf and tools from source]
 +
* [https://code.google.com/p/libewf/wiki/Mounting Mounting a set of EWF file(s)]
 +
* [http://libewf.sourceforge.net Old project site]

Revision as of 01:34, 15 July 2013

libewf
Maintainer: Joachim Metz, David Loveall
OS: Linux, FreeBSD, NetBSD, OpenBSD, Mac OS X, Windows
Genre: Disk imaging
License: LGPL
Website: code.google.com/p/libewf/

Libewf is a library to access the Expert Witness Compression Format (EWF).

Features

Read or write supported EWF formats:

  • SMART .s01 (EWF-S01)
  • EnCase .E01 (EWF-E01) and .Ex01 (EWF2-Ex01)

Read-only supported EWF formats:

  • Logical Evidence File (LEF) .L01 (EWF-L01) and .Lx01 (EWF2-Lx01)

Other features:

  • empty-block compression
  • read/write access using delta (or shadow) files
  • write resume

Tools

The libewf package contains the following tools:

  • ewfacquire, which writes storage media data from devices and files to EWF files.
  • ewfacquirestream, which writes data from stdin to EWF files.
  • ewfdebug; experimental tool does nothing at the moment.
  • ewfexport, which exports storage media data in EWF files to (split) RAW format or a specific version of EWF files.
  • ewfinfo, which shows the metadata in EWF files.
  • ewfmount, which FUSE mounts EWF files.
  • ewfrecover; special variant of ewfexport to create a new set of EWF files from a corrupt set.
  • ewfverify, which verifies the storage media data in EWF files.

The libewf package also contains the following bindings:

  • ewf.net, bindings for .Net
  • pyewf, bindings for Python contributed by David Collett in 2008

Contributions

Tools that have been contributed to the project are provided as separate tools on the sourceforge libewf project site. These are:

  • mount_ewf.py, which allows the storage media data in a EWF files to be mounted, contributed by David Loveall in 2007.
  • libewf-java, Java (JNA) bindings were contributed by Bradley Schatz in 2009.
  • delphi imdisk proxy, Borland Delphi imdisk proxy, as an alternative to mount_ewf.py for Windows, contributed by Brendan Berney in 2010.
  • jlibewf, native Java EWF reader contributed by Bruce Allen in 2010.
  • libewfcs, native C# EWF reader contributed by Bruce Allen in 2011.

A menu based interface for ewfacquirestream called pyEWF, contributed by Dennis Schreiber, was originally also available on the uitwisselplatform project site. However this is currently no longer maintained and was not moved to the sourceforge project size. The uitwisselplatform no longer exists. The name pyewf was reused for the libewf Python bindings created by David Collett which is now included in the libewf package.

Examples

Imaging a device on a Unix-based system:

ewfacquire /dev/sda

Imaging a device on a Windows system:

ewfacquire \\.\PhysicalDrive0

Converting a RAW into an EWF image

ewfacquire myfile.raw

or:

ewfacquire -c best -m fixed -t myfile -S 1T -u [-q] myfile.raw

or

cat split.raw.??? | ewfacquirestream
cat myfile.??? | ewfacquirestream  -c best -m fixed -t myfile -S 1T 

Converting an optical disc (split) RAW into an EWF image (libewf 20110109 or later)

ewfacquire -T optical.cue optical.iso

Converting an EWF into another EWF format or a (split) RAW image

ewfexport image.E01

Exporting files from a logical image (L01)

ewfexport image.L01

FUSE mounting an EWF image (libewf 20110828 or later)

ewfmount image.E01 mount_point

FUSE mounting a logical image (L01) (libewf 20111016 or later)

ewfmount -f files image.L01 mount_point

Verify an single image with results to the screen

ewfverify image.E01

From a linux shell, verify a group of images in subdirectories of the current directory creating a simple log file per image.

find . -name \*.E01 -printf '%f %p\n' | xargs printf "ewfverify -l \$(basename -s .E01 %s).ewfverify.out  %s\n" | sh

or

find . -name '*.E01' | while read F
do
  echo ewfverify -l "$(basename -s .E01 $F).ewfverify.out" "$F"
done

History

Libewf was created by Joachim Metz in 2006, while working for Hoffmann Investigations.

Libewf is a rewrite of earlier work on the EnCase 4 file format by Michael Cohen part of PyFlag and the Expert Witness Compression Format Specification by Andrew Rosen. It has been updated to read and write EnCase version 1 to 7 .E01 files, EnCase 5 to 7 .L01 files, EnCase 7 .Ex01 and .Lx01 files and SMART .s01 files. Libewf has initiated an Extended EWF (EWF-X) specifications to bypass limitations on the format imposed by the EnCase .E01 format.

In 2007 David Loveall contributed mount_ewf.py to the libewf project. This application allows a fuse based mount of the storage media data in the EWF files to be mounted. Due to repeated issues with Python and the fuse Python-bindings on Mac OS X part of the functionality of these scripts has been rewritten into ewfmount.

As of version 20120715 support for EWF version 2 (.Ex01 and .Lx01) was added.

External Links