Linux E01 File forensic in Windows

Hi Team,

I received a E01 image which shows its a Linux File system. On top of that i was informed that its Mcafee encrypted image, now i am trying to mount the E01 file but its not poping for password prompt.

Since my investigation is in Windows file system. Can anyone suggest any way on how can i mount the Linux file system in windows which can prompt me Mcafee encryption window so that i can put the password in.

Any suggestions will be encouraged.

Linux file system says little.

Linux can have tens of different file systems, most probably it is an EXT2/3/4 filesystem, as they are the most common but not necessarily.

As well McAfee encryption says little, there are (were over the years) several different McAfee products related to encryption, cannot say if they are cross/back-compatible.

Anyway, if the actual filesystem is actually encrypted, strictly speaking you cannot even say that it contains a "Linux" filesystem. at the most you can say that in the partition table there is a partition with a partition ID corresponding to a (given) Linux filesystem, let'ssay partition ID 83
https://www.win.tue.nl/~aeb/partitions/partition_types-1.html
(or a corresponding UEFI GUID)

Also, it would be "queer" as - AFAIK - there is no McAfee encryption product running on Linux, it could be the case of a Windows installation using an encrypted container with a Linux flilesystem, say for use in a Linux VM with "direct" disk access (as opposed to a disk/drive image).

How exactly are you trying to mount the E01 image?

jaclaz

Yes Jaclaz you are correct McAfee is not supported for Linux after you said i searched in Mcafee website it no where says that Linux is a supported encryption.

We are mounting the Images through Encase VFS but it seems some images are getting mounted specially ubuntu but having problem mounting Redhat and other linux distribution it says unrecognized filesystem.

Is there anyway i can process Linux E01 images in Windows?

Please advice.

Is there anyway i can process Linux E01 images in Windows?

Please advice.

I will try again. roll

There is no such thing as a "Linux image".

Linux is an operating system, nothing more, nothing less.

The E01 is a a (hopefully wink ) forensic sound image format for (usually) "whole" hard disks.

The contents of the hard disk (i.e. of the image) may be
1) all 00's or garbage"
2) one or more partitions/volumes, either "plain" or encrypted and even - to include BSD - one or more "slices"

The content of each partition/volume may be
1) a "common", known, filesystem normally used on Windows OS, i.e. FAT12/16/32/64 NTFS, UDF
2) a "common", known, filesystem normally used on *nix and Linux systems, i.e. - as an example - EXT2/3/4
3) a "common", known, filesystem normally used on Macintosh systems, such as HPFS or - lesser known - APFS
4) a known filesytem used only sometimes/rearely, like - say - btrfs, zfs, reiserfs, etc.
5) a "lesser known" filesystem, specific to another OS or used in particular setups,
6) something else

Most of the above may be called "Linux image", so unless you find out what the contents of the image are, the only advice you can get for mounting/accessing it (in Encase or outside it) is

http//www.imdb.com/title/tt0097216/quotes/qt0362962

In a perfect world there would be a know-it-all AI connected to Encase that would allow you to mount anything at the touch of a (big, red ? ) button, but right now you need to understand what you have in your hands, and take decisions accordingly (again within or outside Encase).

jaclaz

P.S.

We are mounting the Images through Encase VFS but it seems some images are getting mounted specially ubuntu but having problem mounting Redhat and other linux distribution it says unrecognized filesystem.

Who is the "we"?
The single "McAfee" image has become several different images?