If you have an Encase Expert Witness Format E01 image, and you’d like to mount it for examination, there is a free library for Linux that will assist.

E01 images are compressed, forensically sound containers for disk images acquired during an investigation. To work with them, we must utilize a tool that will stream decompress the image so that we can mount and work with the contents.

These tools and shortcuts are preinstalled on the Linux SIFT workstation.

1. Install the ewf-tools library (already included on Linux SIFT workstation)

   sudo apt-get install ewf-tools

2. Examine the metadata associated with the E01 by running ewfinfo

   ewfinfo your_image.e01

3. Let’s create a mount point that we’ll use to mount the E01 as a raw device

   mkdir -p /mnt/ewf_mount

4. Now, mount the E01 forensic image to a new raw device

   ewfmount your_image.e01 /mnt/ewf_mount

   1. A successful mount operation will provide a very minimal output such as “ewfmount 20140812”

   2. You will now have a stream-decompressed raw device at /mnt/ewf_mount/ewf1

      ls -alh /mnt/ewf_mount

5. Create a new mount point for the logical mount we’re about to perform, and then mount the device to the new logical mount point.

   mkdir -p /mnt/logical_mount

   mount -o ro,show_sys_files,streams_interface=windows /mnt/ewf_mount/ewf1 /mnt/logical_mount

   1. Pro Tip: create a bash alias that simplifies this mount command for the future, allowing you to replace it with simply mountwin — you must reload bash for it to take effect.

      echo “alias mountwin='mount -o ro,show_sys_files,streams_interface=windows'“ » ~/.bash_aliases

6. Now, change directory into the logical mount point, and examine the file system!

   cd /mnt/logical_mount

   ls -alh

   Subscribe