Forensicsewfexpert-witnessforensicsimagingacquisitionverification

libewf

libewf is a library for reading and writing Expert Witness Compression Format (EWF) files used in digital forensics. It provides tools to acquire, verify, export, and mount EWF images from sources like EnCase and FTK Imager.

Description

Libewf supports EWF formats including SMART (EWF-S01) and EnCase (EWF-E01), compatible with files from EnCase 1-6, linen, and FTK Imager. It is essential for forensics investigations involving disk imaging and evidence preservation. The ewf-tools package includes utilities for acquiring data from devices or files, verifying integrity, exporting to raw or other formats, mounting images, and recovering from corrupted files.

Use cases include creating forensic images of hard drives, optical media, or memory, ensuring chain-of-custody with MD5/SHA hashes, and analyzing evidence without altering originals. Tools like ewfacquire handle compression, sector-level reading, and metadata embedding for case documentation.

The library also offers development files, Python bindings, and runtime support, enabling integration into custom forensic workflows or scripts.

How It Works

libewf handles EWF segment files with compression (deflate), hashing (MD5, optional SHA1/SHA256), and metadata storage for acquisition details. Tools read/write in chunks (sectors: 16-32768), support offsets, retries on errors, and endian swapping. It processes physical/logical media types (fixed, removable, optical, memory), exports to raw/files/EWF variants, mounts via FUSE, and verifies checksums across segments up to 1.4 GiB default size.

Installation

bash

sudo apt install ewf-tools

Flags

-Acodepage of header section, options: ascii (default), windows-874, windows-932, etc.

-bspecify the number of sectors to read at once (per chunk), options: 16, 32, 64 (default), 128, etc.

-Bspecify the number of bytes to acquire (default is all bytes)

-cspecify the compression values as: level or method:level, compression method options: deflate (default)

-Cspecify the case number (default is case_number)

-dcalculate additional digest (hash) types besides md5, options: sha1, sha256

-Dspecify the description (default is description)

-especify the examiner name (default is examiner_name)

-Especify the evidence number (default is evidence_number)

-fspecify the EWF file format to write to, options: ewf, smart, ftk, encase2, etc.

-hshows this help

-llogs acquisition errors and the digest (hash) to the log_filename

-mspecify the media type, options: fixed (default), removable, optical, memory

-Mspecify the media flags, options: logical, physical (default)

-Nspecify the notes (default is notes)

-ospecify the offset to start to acquire (default is 0)

-pspecify the process buffer size (default is the chunk size)

-Pspecify the number of bytes per sector (default is 512)

-qquiet shows minimal status information

-rspecify the number of retries when a read error occurs (default is 2)

-sswap byte pairs of the media data (from AB to BA)

-Sspecify the segment file size in bytes (default is 1.4 GiB)

-tspecify the target file (without extension) to write to

-uunattended mode (disables user interaction)

-vverbose output to stderr

-Vprint version

-wzero sectors on read error (mimic EnCase like behavior)

-xuse the chunk data instead of the buffered read and write functions

Examples

Shows help for ewfacquire, which acquires data from a file or device into EWF format.

ewfacquire -h

Shows help for ewfacquirestream, which acquires data in EWF format from stdin.

ewfacquirestream -h

Shows help for ewfdebug, which analyzes EWF file(s).

ewfdebug -h

Shows help for ewfexport, which exports media data stored in EWF files to raw or other formats.

ewfexport -h

Shows help for ewfinfo, which shows meta data stored in EWF files.

ewfinfo -h

Shows help for ewfmount, which mounts data stored in EWF files.

ewfmount -h

Shows help for ewfrecover, which recovers data from corrupt EWF files.

ewfrecover -h

Shows help for ewfverify, which verifies media data stored in EWF files.

ewfverify -h

Updated 2025-Dec-09kali.org ↗