Security Slice

ewfmount

ewfmount

Description

A command line tool for creating a mount file from a disk image. Use ewfmount to mount the EWF format (Expert Witness
Compression Format)

PlatformLinux
AuthorJoachim Metz
LicenseGPLv3
URLewfmount.c

Usage

Usage: ewfmount [ -f format ] [ -X extended_options ] [ -hvV ]
                ewf_files mount_point
 
    ewf_files:   the first or the entire set of EWF segment files
 
    mount_point: the directory to serve as mount point
 
    -f:          specify the input format, options: raw (default),
                 files (restricted to logical volume files)
    -h:          shows this help
    -v:          verbose output to stderr
                 ewfmount will remain running in the foreground
    -V:          print version
    -X:          extended options to pass to sub system

Examples

ewfmount win7-32-nromanoff-c-drive.E01 /mnt/ewf_mount

This command creates a mount file.

root@siftworkstation:/home/sansforensics/netwars/romanoff# cd /mnt/ewf_mount
root@siftworkstation:/mnt/ewf_mount# ll
total 4
drwxr-xr-x  2 root root           0 Jan  1  1970 ./
drwxr-xr-x 23 root root        4096 Jul 25  2016 ../
-r--r--r--  1 root root 26578255872 Jul 24 17:54 ewf1

You can then mount it with this command:

root@siftworkstation:/mnt/ewf_mount# mount -o ro,loop,show_sys_files,streams_interface=windows ewf1 /mnt/romanoff/
root@siftworkstation:/mnt/ewf_mount# cd /mnt/romanoff/
root@siftworkstation:/mnt/romanoff# ll
total 3736025
drwxrwxrwx  1 root root       4096 Apr  4  2012 ./
drwxr-xr-x 24 root root       4096 Jul 24 17:55 ../
-rwxrwxrwx  1 root root       2560 Nov 10  2010 $AttrDef*
-rwxrwxrwx  1 root root         24 Jun 10  2009 autoexec.bat*
-rwxrwxrwx  1 root root          0 Nov 10  2010 $BadClus*
-rwxrwxrwx  1 root root     811104 Nov 10  2010 $Bitmap*
drwxrwxrwx  1 root root       8192 Sep 17  2011 Boot/
-rwxrwxrwx  1 root root       8192 Nov 10  2010 $Boot*
-rwxrwxrwx  1 root root     383786 Nov 20  2010 bootmgr*
-rwxrwxrwx  1 root root       8192 Nov 10  2010 BOOTSECT.BAK*
-rwxrwxrwx  1 root root         10 Jun 10  2009 config.sys*
lrwxrwxrwx  2 root root         60 Jul 14  2009 Documents and Settings -> /mnt/romanoff//Users/
drwxrwxrwx  1 root root          0 Nov 10  2010 $Extend/
-rwxrwxrwx  1 root root 1610211328 Apr  4  2012 hiberfil.sys*
-rwxrwxrwx  1 root root   67108864 Nov 10  2010 $LogFile*
-rwxrwxrwx  1 root root       4096 Nov 10  2010 $MFTMirr*
drwxrwxrwx  1 root root          0 Nov 10  2010 MSOCache/
-rwxrwxrwx  1 root root 2146951168 Apr  4  2012 pagefile.sys*
drwxrwxrwx  1 root root          0 Jul 14  2009 PerfLogs/
drwxrwxrwx  1 root root       4096 Aug 30  2011 ProgramData/
drwxrwxrwx  1 root root       8192 Mar 15  2012 Program Files/
drwxrwxrwx  1 root root          0 Nov 10  2010 Recovery/
drwxrwxrwx  1 root root       4096 Apr  4  2012 $Recycle.Bin/
----------  1 root root          0 Nov 10  2010 $Secure
drwxrwxrwx  1 root root       8192 Apr  4  2012 System Volume Information/
-rwxrwxrwx  1 root root     131072 Nov 10  2010 $UpCase*
drwxrwxrwx  1 root root       4096 Apr  3  2012 Users/
-rwxrwxrwx  1 root root          0 Nov 10  2010 $Volume*
drwxrwxrwx  1 root root      16384 Apr  4  2012 Windows/

Blog Posts