|Maintainer:||Joachim Metz, David Loveall|
|OS:||Linux, FreeBSD, NetBSD, OpenBSD, Mac OS X, Windows|
The libewf package contains Linux based library and applications to read and write EnCase E0* and SMART s0* storage media bitstream copies.
Libewf is a rewrite of earlier work on the EnCase 4 file format by Michael Cohen part of PyFlag and the Expert Witness Compression Format Specification by Andrew Rosen. It has been updated to read and write EnCase version 1 to 6 E01 files and SMART s01 files (EWF files). Libewf has initiated an Extended EWF (EWF-X) specifications to bypass limitations on the format imposed by EnCase.
Currently libewf partially supports the EnCase L01 format but this functionality has been disabled.
The libewf package contains the following tools:
- ewfacquire and ewfacquire, which writes storage media data from a device handle EWF files.
- ewfexport, which exports storage media data in a set of E01 or s01 files to raw (dd) format or a specific version of EWF files.
- ewfinfo, which shows the metadata in EWF files.
- ewfverify, which verifies the storage media data in EWF files.
- mount_ewf.py, which allows the storage media data in a EWF files to be mounted.
Dennis Schreiber created a menu based interface for ewfacquirestream called pyEWF. However this seems currently not to be maintained.
Imaging a device on a Unix-based system:
Imaging a device on a Windows system:
Converting a split RAW into an EWF image
cat split.raw.??? | ewfacquirestream
Converting an EWF into another EWF format or a (split) RAW image