Directory:
/usr/bin/ewfacquire
/usr/bin/ewfacquirestream
/usr/bin/ewfexport
/usr/bin/ewfinfo
/usr/bin/ewfverify
libewf is a package to work with ewf (Expert Witness Format) files, currently SMART and encase are fully supported. Without going into too much details, the ewf file formats store a lot of metadata in the image file, and also CRC checksum after certain blocks, which we can set.
Let's jump into the usage.
A very basic run is:
ewfacquire -d sha1 -t /root/forensics/ewf/thumb1g /dev/sdb
where we say that we want additional sha1 hash calculation (newer versions support sha256, but BT R3 doesn't have it by default) and we specify the target file without extension with '-t'. Once we start it, the tool will ask us a lot of question in an interactive menu. Basically it will ask the options we haven't specified (like case number, description, notes, evidence number, etc...), which you can see in the screenshot below:
Then it will ask for confirmation, and will start to run:
If we start with more options, we get less questions:
ewfacquire -d sha1 -t /root/forensics/ewf/thumb1g -c none -D description -e cf -E 1 -g 64 -f encase6 -m removable -N nonotes -o 0 /dev/sdb
With the ewfverify tool we can verify if the stored hash in the is the same as a newly calculated one, this way ensuring that the image is not corrupted.
ewfverify -d sha1 /root/forensics/ewf/thumb1g.E01
With ewfinfo we can print the metadata of an ewf file.
ewfinfo /root/forensics/ewf/thumb1g.E01
ewfexport allows us to export the raw data or make another ewf format from the file.
The latest version of libewf contains additional tools, like ewfmount which allows us to mount ewf file. This is useful cause the ewf image file contains a lot of extra data, so it's hard to work directly on the raw file.
Official website: http://code.google.com/p/libewf/
No comments:
Post a Comment