ewf file (E01) writ...
 
Notifications
Clear all

ewf file (E01) write back to disk - how?

wechselberger
(@wechselberger)
New Member

Excuse my bad english……

I have made EWF Images (E01) from an external hard drive. I'm supposed to determine which changes to the timestamps of the files resulting from different operating systems at the opening, copying, reproduction, etc..

Therefore, I want to restore the EWF Image whenever you need them on the external drive.

I am aware that you can write back e01 Images to a hard disk with X-ways Forensics. However, the timestamp of some files are changed, so that the hash value is no longer correct under windows after completing the back rubbing. Currently I have the E01-Image converted to a dd-image and write it back with Linux to the external disk.

Is there a way in Linux, the E01-file write back directly to the disk ?

Thank you

Kurt W.

Quote
Topic starter Posted : 02/05/2014 7:43 pm
wechselberger
(@wechselberger)
New Member

I think I've found a way.

I use xmount from –> https://www.pinguin.lu/index.php

1. xmount –in ewf –out dd –cache ~/acquired/MyDisk.cache ~/acquired/MyDisk.E?? ~/MountPoint
2. write with dd or dcfldd or dc3dd the image to the external disk.

K.W.

ReplyQuote
Topic starter Posted : 03/05/2014 3:38 pm
binarybod
(@binarybod)
Active Member

ewfexport is part of the libewf suite and a bit easier to use.
ewfexport myAcquiredImage.E01 will do the trick. The tool itself will prompt you for the required information. The default output is raw so outputting this to /dev/sd? will write the contents of the .E01 file back to disk.

ReplyQuote
Posted : 09/05/2014 1:20 am
wechselberger
(@wechselberger)
New Member

OK. Thanks.

Kurt W.

ReplyQuote
Topic starter Posted : 10/05/2014 5:45 pm
Share: