Notifications
Clear all

E01 metadata

8 Posts
4 Users
0 Likes
1,628 Views
Samuel1
(@samuel1)
Posts: 63
Trusted Member
Topic starter
 

Howdy all,

I have an E01 image file that I would like to review for metadata. You know, the investigator name, case notes, MD5 hash, whatever is included as metadata.

I don't have EnCase – Just P2C and FTK Imager. What software would you folks recommend for viewing this metadata?

 
Posted : 17/08/2012 11:23 am
Chris_Ed
(@chris_ed)
Posts: 314
Reputable Member
 

Hi,

This document specifies the structure of the e01 format

http//code.google.com/p/libewf/downloads/detail?name=Expert%20Witness%20Compression%20Format%20%28EWF%29.pdf

Using that you should be able to decode the header manually.

Thanks,

Chris

 
Posted : 17/08/2012 12:19 pm
Samuel1
(@samuel1)
Posts: 63
Trusted Member
Topic starter
 

Thank you Chris. I looked at that – that's for Linux. I need something for Windows – any suggestions?

 
Posted : 18/08/2012 2:00 am
KungFuAction
(@kungfuaction)
Posts: 109
Estimable Member
 

Samuel,

The headers mentioned in that excellent paper Chris linked can be seen from any hex editor. Windows has many free hex editors from which to choose

http//cnet.co/S2MhV5

 
Posted : 18/08/2012 2:41 am
(@joachimm)
Posts: 181
Estimable Member
 

Thank you Chris. I looked at that – that's for Linux. I need something for Windows – any suggestions?

No offence apparently you did not look thoroughly at it. It will perfectly compile on Windows.

 
Posted : 18/08/2012 2:44 am
(@joachimm)
Posts: 181
Estimable Member
 

Samuel,

The headers mentioned in that excellent paper Chris linked can be seen from any hex editor. Windows has many free hex editors from which to choose

http//cnet.co/S2MhV5

Now I'm intrigued, which hexeditor shows the deflate compressed data as uncompressed ?

 
Posted : 18/08/2012 2:46 am
Samuel1
(@samuel1)
Posts: 63
Trusted Member
Topic starter
 

Thank you Chris. I looked at that – that's for Linux. I need something for Windows – any suggestions?

No offence apparently you did not look thoroughly at it. It will perfectly compile on Windows.

No offense intended either, but I did spend a fair bit of time with that .tar.gz file, and reading it quite a bit. I don't know how to compile it or to get it to function in Windows. I am sure it works, I just don't know how to get it to work is all –

 
Posted : 22/08/2012 9:19 am
(@joachimm)
Posts: 181
Estimable Member
 

Thank you Chris. I looked at that – that's for Linux. I need something for Windows – any suggestions?

No offence apparently you did not look thoroughly at it. It will perfectly compile on Windows.

No offense intended either, but I did spend a fair bit of time with that .tar.gz file, and reading it quite a bit. I don't know how to compile it or to get it to function in Windows. I am sure it works, I just don't know how to get it to work is all –

Most of the windows compilation is described in README.dll, but if your not familiar with building code from source it can be a bit brief. It's not that difficult, let's try option 1 (below) first that might be the most easiest for you.

Extract the libewf package from both the gz and the tar (7z can help you with that)

First you'll need a compiler for Windows you'll have the following options
1. Visual Studio (free expression version available, which is sufficient)
2. Codegear
3. MinGW
4. Cygwin

For both option 1 and 2 you'll need the zlib source (http//zlib.net/)

For option 1 extract the zlib source into libewf/msvsvcp/
Open libewf/msvsvcp/libewf.sln (VS 2010 or later will ask you to convert the project files, which is fine)
Build solution
The executables end up in libewf/msvsvcp/Release/
On other systems the executables require the corresponding Visual Studio Runtime DLLs

For option 2 extract the zlib source into libewf/borland/
Open libewf/borland/codegear/libewf.groupproj
Make or build or projects
The executables end up in libewf/borland/codegear/Release/

Option 3 and 4 are more Linux like but will spit out Windows compatible executables

If you need more help on this just let me know

 
Posted : 22/08/2012 10:39 am
Share: