New Libewf, Expert Witness file format library, release

by

Ewfacquire acquires disk images faster than with EnCase LiNen. The ewftool ‘ewfacquire’ has been profiled and also been optimized. From test on the same hardware the ewfacquire tool was in most tests significantly faster than EnCase LiNen 5.04. Especially when compression was used LiNen was outperformed. The ewfacquire tool can also be used to swap byte order, comparable to the dd swab conversion. This allows to swap between big and little endian conversion, which is a useful feature for examining media from certain appliances like Digital Video Recorders…Projects using libewf
In the last year several projects have start using libewf to provide for EWF support. Some of these are The SleuthKit, CarvFS, AFFlib, TestDisk and PhotoRec.

These projects can be found at:
http://www.sleuthkit.org
http://ocfa.sourceforge.net/libcarvpath
http://www.cgsecurity.org
http://www.afflib.org

Libewf In-file (in-place) carving with PhotoRec
Libewf has been integrated into PhotoRec. PhotoRec by Christophe Grenier is currently one of the most advanced file carvers which supports carving from a lot of different file types. New and great functionality has been added to PhotoRec. It now offers in-place file carving. This means that the PhotoRec carver is file system- and EWF file aware and can directly access the unallocated space on a file system in EWF files. Currently PhotoRec 6.7 supports FAT16/FAT32 and NTFS file systems.

Contributors
We would like to thank the contributors for their support.

Mount-ewf
We would to thank David Loveall for creating the mount-ewf tool. With this new application it’s possible to mount the media data in EWF files forensically as read-only devices. This allows you to access partitions directly as devices. Mount-ewf is depended on Fuse.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


Pyewf
We would to thank Dennis Schreiber for creating the pyewf tool
Pyewf is a wrapper ‘gui’ script around the ‘ewfacquirestream’ tool. It allows you the create multiple images in batch with additional logging.

Project Website
The libewf project can be found at:
https://www.uitwisselplatform.nl/projects/libewf/

Authors
Joachim Metz and Robert-Jan Mora from Hoffmann Investigations, Almere, The Netherlands

Leave a Comment

Latest Articles

Introducing XRY 11.0.1 From MSAB
News

Introducing XRY 11.0.1 From MSAB

ByMSABMay 15, 2025
“You Knew What You Were Signing Up For” – A Harmful Narrative In DFIR?
ArticlesWell-being

“You Knew What You Were Signing Up For” – A Harmful Narrative In DFIR?

ByForensic FocusMay 15, 2025
Amped Authenticate Update Empowers Investigators With Expanded Tools For Deepfake Detection And Video Integrity Analysis
News

Amped Authenticate Update Empowers Investigators With Expanded Tools For Deepfake Detection And Video Integrity Analysis

ByAmpedSoftwareMay 15, 2025
Digital Forensics Round-Up, May 14 2025
News

Digital Forensics Round-Up, May 14 2025

ByForensic FocusMay 14, 2025
Detego Global Announces Sponsorship Of British Police Rugby Team’s Centenary Tour Of South Africa
News

Detego Global Announces Sponsorship Of British Police Rugby Team’s Centenary Tour Of South Africa

ByDetego Digital ForensicsMay 14, 2025
Hexordia’s Jessica Hyde: Navigating The Future Of Digital Forensics
Podcast

Hexordia’s Jessica Hyde: Navigating The Future Of Digital Forensics

ByForensic FocusMay 13, 2025