Libewf

From ForensicsWiki
Revision as of 09:56, 31 January 2009 by Jessek (Talk | contribs)

Jump to: navigation, search
libewf
Maintainer: Joachim Metz, David Loveall
OS: Linux, FreeBSD, NetBSD, OpenBSD, Mac OS X, Windows
Genre: Disk imaging
License: LGPL
Website: libewf.sourceforge.net

The libewf package contains Linux based library and applications to read and write EnCase E0* and SMART s0* storage media bitstream copies.

It has been ported to other platforms like FreeBSD NetBSD OpenBSD Mac OS X and Windows as well.

History

Libewf was created by Joachim Metz in 2006, while working for Hoffmann Investigations.

Libewf is a rewrite of earlier work on the EnCase 4 file format by Michael Cohen part of PyFlag and the Expert Witness Compression Format Specification by Andrew Rosen. It has been updated to read and write EnCase version 1 to 6 E01 files and SMART s01 files (EWF files). Libewf has initiated an Extended EWF (EWF-X) specifications to bypass limitations on the format imposed by EnCase.

Currently libewf partially supports the EnCase L01 format but this functionality has been disabled.

In 2007 David Loveall contributed mount_ewf.py to the libewf project. This application allows a fuse based mount of the storage media data in the EWF files to be mounted.

Tools

The libewf package contains the following tools:

  • ewfacquire and ewfacquire, which writes storage media data from a device handle EWF files.
  • ewfexport, which exports storage media data in a set of E01 or s01 files to raw (dd) format or a specific version of EWF files.
  • ewfinfo, which shows the metadata in EWF files.
  • ewfverify, which verifies the storage media data in EWF files.
  • mount_ewf.py, which allows the storage media data in a EWF files to be mounted.

Dennis Schreiber created a menu based interface for ewfacquirestream called pyEWF. However this seems currently not to be maintained.

External Links