This image displays the file structure of the cyber folder on your friend’s macos computer.

PCs

Forensic images are a typical collection technique for PCs regardless of the operating system (Windows, Macintosh, Linux) they use. You can create them either with software or with specialized hardware devices.

EnCase is one of the most common image file formats created in forensic imaging. An EnCase image is a proprietary file type created by Guidance Software's EnCase software for use with its software packages. EnCase images are byte-level images created with built-in cyclical redundancy checks (CRCs) and the EnCase software will detect when any part of the image file has been changed. Depending on the version of EnCase used (Forensic Edition, Enterprise Edition) and the options selected (physical disk, logical volume, logical files), it can create a variety of permutations to produce images. In addition to its own image files, EnCase can read dd image files.

“dd” is a Unix-based copy program that also copies data at the byte level. Many variations of the dd program have been developed, including forensic implementations that automatically produce hash values of the image files and log any errors. Many forensic practitioners run dd via Helix, a “Live” Linux CD—a self-contained operating system on a CD. Helix is a forensic implementation of Linux that ensures that all drives attached to a machine the CD is used on will be write-protected until the user indicates otherwise.

Access Data's Forensic Imager has the ability to create dd- and EnCase-formatted images, and its Forensic Toolkit will read certain versions of EnCase image files as well as dd.

Norton Ghost images are often provided to consultants with the representation that an image of the data was created. Ghost is a tool initially created for IT professionals to quickly clone data across numerous drives (such as a base “image” for a corporate hard-drive setup). By default, Ghost performs only logical volume copies. You can use Ghost to capture a sector-level image of a drive, but to fully capture all sectors of a hard drive the user must change the default operation of the program. You must use a third-party application to determine the hash value of the Ghost image files created.

A variety of handheld hardware devices can also create forensic hard-drive images. From an e-discovery perspective, the end result is the same: the production of a forensic image. Although handheld devices may offer slight advantages in speed and portability, their use is a matter of preference because their functionality is limited.

Logical file captures of PC data may also be appropriate based on the circumstances of the collection. We will discuss logical file collection tools in the next section, as you can use the tools for both forms of ESI.

FTK Imager

FTK Imager is an imaging tool developed by AccessData (www.accessdata.com) that allows you to preview data and assess potential evidence on a machine. Using this tool, you can make a forensic image of the data, duplicating everything on the machine so that there is no chance of modifying the original data. By previewing the contents of the image and reviewing the duplicated data, you can then determine whether additional analysis is required using the Forensic Toolkit (FTK).

Using FTK, you can view forensic images of hard disks, floppy disks, CDs, DVDs, and other storage media that was created with FTK Imager, or you can view images created with other tools. It will read image files created with ICS, SafeBack, and forensic, uncompressed images created with Ghost, and read or write image files in EnCase, dd Raw, SMART, and FTK image formats. This means that even if another organization or person with different software created a forensic image, you could still view the image file and determine whether it contained any evidence. This is particularly useful in situations such as when an internal investigation was conducted, a forensic image was created from a suspect computer, and police now need to view the evidence that was acquired.

In addition to the image file formats that can be made for analyzing disks, there are also a number of file formats that can be read and created for CD and DVD forensics. These include ISOBuster CUE, CloneCD, Alcohol, PlexTools, Virtual CD, and many others.

As shown in Figure 7.5, FTK Imager provides an easy-to-use interface. Once an evidence file is opened, you can view the folder structure in the Evidence Tree, located in the upper left-hand pane. By selecting a folder, you can then view files stored in that folder in the File List, located in the upper-right pane. To preview a particular file, you can select it in the upper pane, and view an image of pictures, hexadecimal data, text, and previews of other data in the lower right-hand pane. You can view additional information on the file, including any DOS attributes the file might have, in the Properties pane in the lower left-hand side of the screen.

Using FTK imager to create a forensic image is relatively easy, as seen in the step-by-step instructions provided here, which outline how to acquire data from a CD/DVD or floppy. You would follow similar steps to acquire data from other media.

Once FTK Imager has been installed, from the Windows Start menu, select Programs | AccessData | FTK Imager and then click on the FTK Imager menu item.

When the programs open, click on the File menu, and then click on the Add Evidence Item menu item.

When the Select Source dialog box appears, click on the option labeled Logical Drive. Click the Next button.

When the Select Drive dialog box appears, select the drive containing your floppy disk or CD. Click Finish.

When the Create Image dialog box appears, click Add.

When the Select Image Destination dialog box appears, specify where the image file will be stored by entering a path into the field labeled Image destination folder.

In the field labeled Image filename, enter the name you'd like to give the file without an extension. Click Finish.

When the Create Image dialog box appears again, click Start.

Wait while FTK Imager creates a forensic image file of the data on the drive you specified. This may take several minutes. Once the Status field indicates Image created successfully, click the Close button.

Mounting

Subsequently, for processing, the forensic images are mounted as drive letters. At this time, performing a virus scan is not necessary. The files are read-only—if a virus was found, nothing could be done except to make note of it and exclude it, or mark it for manual review if it is a relevant file. In fact, depending on the method and software used to process the data, this is one of the options. However, at this stage, forensic tools are used to cull the data, and viruses that exist in system files may be ignored if they are in uninteresting locations. As part of culling, other processes may simply export all data from the mounted layer to a secondary staging area, and then may scan the entire area and quarantine infected files. Infected files may, of course, include files that are relevant. A virus scanning utility that allows for cleansing of the infected files should be used.

Processing the suspect image using P2 Commander

P2 Commander can open all known forensic image formats. The steps below will allow you to open any image file including the raw image file that was just created. You can download the demo file from the Paraben Site at http://www.paraben.com/programs/demo.html. Remember, we are conducting digital triage forensics, so we are not going to process the entire image file immediately. If you have time after doing the DTF analysis, you can continue to process the image file, as P2 Commander has full-featured digital forensic capability. Initially, we are going to use the automatic wizards to categorize the data on the drive into containers that will allow us to quickly find actionable intelligence or to identify digital media of importance. We are using the stock help files provided in P2 Commander to describe the initial analysis of the image file for the purposes of this tutorial. Modifications have been made to meet the DTF process. Follow the steps below to begin the DTF process using P2 Commander:

Find the icon on the desktop for P2 Commander (see Figure 4.61).

Double click on the P2 Commander icon.

The P2 Commander application will launch.

When the program opens, you will have the option to open a case or create a new case (see Figure 4.62).

Select > Create a New Case (see Figure 4.63).

The New Case wizard will appear.

On the Case Properties tab, enter the case name. Make sure to use alphanumeric characters; do not use any special characters in the file name or the folder name. The case name field is a required field (see Figure 4.64).

Uncheck the image analyzer, as we are not going to be using the image analyzer; this will also help speed up the program.

Select the Additional Information tab, enter the investigator information on it, and click on the Finish button. Note: Once the entered information is saved, it will appear in a drop-down list for future cases (see Figure 4.65).

Select the folder in which the case will be stored.

The new case is created. The “Add New Evidence” wizard opens.

If the Add New Evidence wizard does not open. Select > File-Add Evidence or click on the Add New Evidence quick tool button or press CTRL+A or right-click on the case and select Add New Evidence in the context menu.

The Add New Evidence wizard opens (see Figure 4.66).

Select the image file category in the source type list (we can use any of the other categories depending on what it is we are trying to capture) (see Figure 4.67).

Click on the Autodetect option in the right pane.

Browse to the location where the image file is located (this is the file you created using the replicator application earlier).

A dialogue box will open to enter the evidence name. This name is used to identify the image file in the Case Explorer (see Figure 4.68).

Click OK, and the image will be added to the Case Explorer.

We need to sort all the data into the categories we talked about earlier. P2 Commander's wizard will sort the data into 15 categories:

Documents

E-mail

Chats

Spreadsheets

Graphics

Databases

Executable

Compressed

Multimedia

Text

XML

Encrypted

Others

Image analyzer results

Unallocated files

Image Analyzer

We do not use image analyzer for digital triage forensics. It is a very useful feature, so I want to cover it in this sidebar. Parabens's definition and use of the image analyzer follows:

The image analyzer feature allows you to find images that potentially include pornography.

This illicit image detector scans all images to determine attributes that indicate the image may be of a pornographic nature. It uses sophisticated, analytical processes consisting of thousands of algorithms. These include 11 different detection methods to provide enough information to reliably distinguish between pornographic and nonpornographic images.

To run the image analyzer, check the “Use Image Analyzer” checkbox on the general options page of the P2 Commander sorting engine wizard.

After sorting, the graphic files will be sorted into three categories in the sorted files pane: Highly Suspect, Suspect, and Low Suspect (these folders are subfolders of the image analyzer results folder).

Note: For large files (larger than 10 MB), image analyzer checks whether there is enough memory to load and analyze them. If there is not enough memory, then these files are skipped and the corresponding information is added to the common log.

You can define the options of the image analyzer on the Image Analyzer options page of the P2 Commander sorting engine.

The following options are available:

Engine sensitivity: The larger the value of the engine sensitivity, the more images will be put in the “Highly suspected” and “Suspected” categories. Keep in mind that increasing the sensitivity will also increase the number of false positives (nonpornographic images placed in the wrong category).

Use file filter: If this checkbox is checked, then only files of the defined size will be checked by the image analyzer.

Use resolution filter: If this checkbox is checked, then only images of the defined size will be checked by the image analyzer.

Note: Files that were not checked by the image analyzer, owing to filtering options or because they are too big, are stored in the graphics folder.

20.

Expand the case node by clicking on the + sign next to the case.

Expand the node next to Partition Parser.

Expand each partition to identify the type of format that each partition is using (see Figure 4.69).

Right click on the format name such as FAT or NTFS. From the dropdown menu, choose the sorting command.

Repeat the above step until all the containers are sorting. Note: As you execute more sorts, the system will process each sort more slowly, as the system is using resources for each sort. It is sometimes better to run one at a time.

If there are hash databases attached to the case and the “Calculate MD5” option was selected before sorting, then after sorting you'll be asked to link sorted files to hash databases. Click OK to start linking. Note: Linking can be done any time after sorting.

Sorted files/folders are marked in blue after refreshing. Sorted and linked files are marked in purple.

The results of sorting can be seen in the “Sorted Files” pane. Files are sorted by categories according to their file types. Caution: If a folder's contents have changed (data was added to it), you should clear sorting and then sort the folder again to get all its data indexed properly (see Figure 4.70).

Now that the sorts are running, you can select the Sorted tab under the “Case Explorer” pane. This will show the categories that data will be placed into. Double click on the graphics category. The sorted graphics will appear in the left-hand pane within a minute or two. This is not the comprehensive or complete list yet. You will not get the comprehensive list until you have allowed the program to finish sorting. You can immediately, though, begin the process of reviewing the graphics. You will want to press the F5 key every 35-40 s to see the new files found. Note: When you press the F5 key, it will take you back to the beginning and refresh the entire listing. Once the sort has been completed, an entry will appear in the completed window of the tasks tab at the bottom of the screen (see Figure 4.71).

Now we can move onto bookmarking files that we have found of interest.

7 Research directions in the field

While Deep Learning emerges as a hot research direction in image forensic field, our study revealed some gaps in existing research outcomes. Image forensic should be able to detect almost all types of forgery rather than focusing on a particular type. The techniques that we reviewed represent important results for image forensic, especially considering that the problems they tackle were previously (almost) unexplored. A large set of tools is now available to investigate on image forensic. Despite of progress made by many researchers, big challenges continue to emerge in image forensic. For example, there is a pressing need to extend image forensic in video forensic. More and more forgery techniques are threatening the reliability of video, which can be divide into static pictures. Effective schemes for video forensic need to be established in future research.

Creating forensic images with XWF

The most common type of imaging you will encounter is the imaging of hard disks from a “dead box” system. All “dead box” means is that a computer is powered off as opposed to being powered on with the operating system running, i.e., a “live box.”

Once you have one or more hard drives, we will need to make them available to the computer system on which XWF is running. To do this, we will employ a forensic write blocker that will prevent any changes from being made to the hard drive during the imaging process. In short, Windows needs to “see” at least a physical device on the computer regardless of whether it has a drive letter under My Computer.

Once the hard drive is connected to the write blocker, the write blocker is powered on and Windows detects the drive, we are ready to image the disk.

For most imaging jobs, XWF will be used without creating a case. That is, XWF will be opened and only used to create a forensic image of one or more pieces of digital media. To create an image, press F9 or use the Tools | Open Disk menu to bring up the View Disk dialog as shown in Figure 2.6.

If you are running WinHex instead of X-Ways Forensics (and not in read-only mode), then the same dialog window is entitled Edit Disk instead.

Unless you have a need to image an individual partition, we recommend that you select a device under the Physical Media section. Simply select the physical device you want to open in XWF. In Figure 2.6, HD0 is selected. XWF will open the disk and display some basic information about the disk, including any partitions XWF was able to discover, the start sectors, unpartitionable space, and so on.

XWF can now fully interact with the hard drive we have just opened. Double-clicking on a partition will open that partition and XWF will begin traversing all the sectors in the partition. This is the initial volume snapshot process that consists of parsing various file system metadata such as the Master File Table (MFT). At this point, we are not interested in working directly against a running hard drive, so we will avoid opening an individual partition.

XWF is now ready to create a forensic image of the hard disk. To begin the process, select File | Create Disk Image, or press Alt-C as shown in Figure 2.7.

XWF Tips and Tricks

While XWF has everything it needs at this point to make an image, several optional changes are recommended as shown in Figure 2.8.

XWF Tips and Tricks

The first two options under image file format are self-explanatory. The third, Evidence file container, allows you to create a disk image as an XWF container as opposed to an e01 or dd file. Several third-party tools can understand the basic information in XWF containers, so this is a viable option in some scenarios. Of course, XWF (and some other tools) can be used to create an e01 or dd image of an XWF evidence container that is usable by any tool capable of understanding either format, but this is not required to use the container in XWF.

The Path, by default, will reflect the directory as entered in Options | General. The filename will default to the model of the drive as determined by XWF’s interrogation of the drive’s information. This information can also be viewed via the Specialist | Technical Details Report menu item. To change the path or file name, select the … button to the right of the path. You can also optionally create a second image at the same time by checking the appropriate box. This is faster than creating a single image and then copying it later. It is best if the second image is created on a different physical device than the initial image in order to minimize the time it takes to create the image and additional copy.

Enter as many details as you wish about the selected hard drive in the Internal description box. This may include such things as the hard drive make, model, and serial number, the source of the drive (for example, where it was seized from, the client name, etc.), custodian or suspect name, etc. This information will be preserved in the image file in the case of an e01. For both e01 and dd images, this information will also be included in a text file (created in the same directory as the image itself) that contains details of the imaging process.

The Scope simply defines how much of the disk you wish to image. Typically, you will image the entire medium. You can also choose to exclude data in free clusters, but this option shouldn’t be used for the vast majority of imaging projects.

Finally, you can determine whether to employ hash verification and select which hash algorithms to generate for this image. At a minimum, we recommend that you select SHA-1. While MD5 is a valid hash algorithm, particularly with respect to disk images, the SHA-1 algorithm is less susceptible to attack. We also suggest that you check the Immediately verify image box, so XWF will validate that the image is a forensic duplicate by generating and comparing the hash values for the source and image file. XWF will only validate the image by comparing the hash value for the topmost hash algorithm, not both (you can always generate the hash value of the second image and compare it to the primary image’s hashes though). By default, XWF will split images into 4 GB chunks.

When creating a second image file, XWF will not allow the images to exist on the same drive letter, so be sure you have at least two destination drives available. Also, when creating a second image file, XWF will not automatically verify the hash of the second image.

The Replace evidence object with image option is only available when adding media directly to a case and then imaging that media (as opposed to using F9 to select a device as discussed above). There are several ways to do this to include right-clicking the case root node and selecting Add Medium or clicking the File menu in the Case Data window and selecting Add Medium. Regardless of the method you choose, the Open Disk dialog will be displayed. Replace evidence object with image is a very handy option that can replace the physical device in the case with an image file once an image is created. Using this option works well for smaller medium such as thumb drives, etc., but for larger devices, we recommend another technique that is outlined in another section below.

XWF Tips and Tricks

Once you adjust the settings to your liking, click the OK button to start the imaging process. As XWF processes the media, various statistics will be generated and updated in real time as shown in Figure 2.9.

At the start of the imaging process, a text file is created that is updated as the imaging progresses. The text file will be saved to the same directory as the image file and will have the same filename as the image. In our example above, our image is named OCZ-AGILITY3.e01, so our text file would be named OCZ-AGILITY3.txt. This text file will contain various information about the hard drive including the number of sectors, where the image was saved, its capacity, partitions, etc. At the end of the imaging process, XWF will add the hash values to the file with an indication of whether the source and destination hashes matched.

If you cancel the imaging process before it completes, XWF will finalize the segment of the image file (when using e01 format) it is currently creating so that a consistent image file is generated. While you will end up with an incomplete image, it will be accurate to the point when the imaging process was canceled.

The process for imaging any other type of media is the same as imaging a hard disk. When this is not the case, it will be explained in the sections that follow.

Using XWF to review medium while imaging

In time-sensitive situations, it is often required to immediately begin reviewing a hard drive or other piece of media while an image is being created. To do this with XWF, begin the imaging process as we previously discussed. To begin the review process, open another instance of XWF, create a new case, and add the same device that you are imaging to the case.

Once the device is added to the case, you can start browsing its contents. Since you are working with a case, XWF will remember anything that you do against the device. Once the image is created in the other instance of XWF, right-click on the device in your case and select Replace with new Image from the Case Data context menu as shown in Figure 2.10.

Figure 2.10. Replacing a device with an image.

Navigate to the directory where XWF created the image of the device and select the corresponding image file. XWF will then remove the device from your case and replace it with the image file. By using this technique, anything done against the volume snapshot of the device will be preserved such as report table associations, comments, viewed files, etc.

Basically, we let one instance of XWF image our drive while the second instance goes to work and examines the drive in a case. After the image is complete, we substitute the image for the disk and continue from where we left off. Using this technique enables you to get a head start by beginning an exam before the image was even complete!

This two-pronged approach allows you to start interacting immediately with your media rather than waiting for hours for the image to complete. This saves time and allows you to begin your examination immediately.

NASs and SANs

Network-attached storage (NAS) or a storage area network (SAN) can also present special challenges to an examiner. A NAS is typically a smaller device, which, as its name implies, provides storage space to network users. Because there are numerous NAS vendors, with numerous unique and proprietary configurations, there is no set procedure to image them. However, two of the techniques described earlier for imaging a RAID (i.e., taking the NAS apart and imaging the drives separately or mounting the NAS as a logical share and obtaining a live, logical image of it) can be very effective.

SANs are more common in large corporate and government infrastructures and are normally very large. What makes a SAN an efficient method for large-scale storage is how it allocates space to users; space given to a user is called a Logical Unit Number, or LUN. Somewhere on the network there is a server dedicated to the allocation of the LUNs and the maintenance of the SAN; this server is connected to the SAN via a Host Bus Adapter (HBA).

There are two primary choices for acquiring a forensic image of a SAN:

From a computer connected to the SAN, a system administrator can assign the examiner read-only privileges to the LUNs in question, which can then be imaged live (similar to a standard RAID). If possible, the examiner should ask the system administrator to temporarily remove all access to the LUNs by other users until the image and verification are finished.

The connected computer can be shut down and booted using a forensic boot disk. Once booted, specific LUNs can be imaged as described earlier. If using this technique, the examiner must ensure the boot disk has the correct HBA drivers or the examiner will not be able to properly access the LUNs.

Frequently Asked Questions

Q

If software is available to create a forensic image of a hard disk or other media, what is the benefit of forensic hardware?

Different types of forensic hardware are available. You can use write-blocking tools to prevent data from being written to a suspect hard disk or other media. Forensic tools are also available that you can connect to an unopened computer or hard disk to acquire data from it. In some cases, some tools even enable you to analyze the acquired data in the field. Many of these tools are portable, allowing you to carry them to a crime scene, and can enable you to acquire data from multiple hard drives at high speeds.

Why is it important that all the software used by law enforcement officers be licensed and registered? Law enforcement budgets are often tight; why not use freeware as much as possible?

Some freeware and shareware tools that are available on the Internet are good tools, and the price is certainly right. However, there are some dangers in using these programs for forensic purposes. First, you never know exactly what you're getting when you download a free program (and you certainly can't ask for your money back if it doesn't work properly). Downloads can be infected with viruses or Trojans that can damage the systems on which you use them. Using unlicensed software (illegal copies) is even worse. The opposing attorney(s) will have a field day if they discover that the police used pirated or “borrowed” software in the investigation. This behavior can destroy the credibility of the people who conducted the forensic examination and even result in losing the case. In addition, with properly purchased and registered software, you will be able to get technical support from the vendor if necessary. Makers of computer forensic software often offer discounts to law enforcement agencies, making it easier to afford the proper tools for the job. After all, officers and agencies probably wouldn't suggest saving money by buying their duty weapons from a pawnshop; that's because these are essential tools of the trade and must be as reliable as possible. For the cybercrime investigator or technician, the same is true of the forensic software that is used to collect and preserve evidence that can make or break a criminal case.

There are so many tools. Do we need them all?

It is important to become familiar with a wide range of tools. It is not necessary to have all the tools.

Many of the tools run on an operating system I am not familiar with. Do I need to become familiar with these operating systems?

Although it is good to have some level of familiarity with a wide range of systems, these tools are available for most operating systems. Whether you are familiar with Linux, Windows, or another operating system, it is likely that you will be able to find a tool that functions on your system.

What types of evidence can digital forensic tools provide?

Computers store large amounts of data to a network or system of hard disks. Much of this information is stored without the user being conscious of its existence. This data may be in the form of tangible files or information that the computer used to carry out a specific task. A few examples are user files, system files, deleted files, and system data that enable the computer to perform its tasks.

Do I need to scan a drive for malware if I have a read-only image?

Any forensic image file with a capture containing 100 percent of the information on a hard drive has the potential to be a virus pathway into a secure computer system. Any forensic investigation must exercise appropriate care in ensuring that none of these pathways exist.

The registry through X-Ways forensics

The following section details using XWF to examine the Windows registry. The registry is a hierarchical database that stores configuration settings and options for the Windows operating system in files called hives.

Entire books dedicated to the inner workings of the registry are available and such information will not be repeated here. As registry analysis as a whole requires more information than can be described in this chapter, we recommend examiners delve deeper into registry forensics through resources such as Harlan Carvey’s Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry. Resources such as this allow you to understand alternative methods of analysis of the registry as well as the scope of information stored in the registry.

In Chapter 3, we covered the Directory Browser and its columns including the ability to filter data contained in one or more columns. Before discussing how to use XWF to analyze registry hives, it would be helpful to hide everything from view that isn’t a registry hive. Of course you always can navigate directly to where the hives are found on disk if you choose, but filtering allows for quickly seeing all available registry hives across entire evidence objects at the same time.

To begin registry analysis with XWF, click the filter icon for the Type column in the Directory Browser. Figure 5.14 shows the Type filter dialog that allows you to hide all files that are not of type Windows Registry. The quickest way to access this filter is via the funnel icon found in the Type column. Once the filter dialog is open, you can select one or more registry file types. If you want to find registry files of all types, filtering via the Category column is quicker than selecting all of the relevant file types in the Type filter dialog.

Figure 5.15 shows several registry hives found in a forensic image after using the Type filter column as outlined above.

XWF Tips and Tricks

MountEWF

MountEWF is a program that presents an Expert Witness Format forensic image as a raw image. It does this by leveraging the FUSE system via Python. It is not included with libewf directly but can be retrieved from the LibEWF project site [3]. Like a disk, the forensic container can hold multiple mountable file systems, so simply “mounting” the container is not desirable or even feasible. Instead, MountEWF provides a view of raw streams contained in the EWF container at the provided mount point. The raw streams can then be accessed directly using the losetup technique discussed previously.

MountEWF is a python script so it does not need to be compiled before running. We can copy it into our path to allow for easier execution:

[email protected]:~/src/afflib-3.5.12$ sudo cp /home/user/src/mount_ewf-20090113.py /usr/local/bin/mount_ewf.py

Executing the command with no arguments will provide usage instructions:

[email protected]:~/src/afflib-3.5.12$ mount_ewf.py

Using libewf-20100226. Tested with libewf-20080501.

Usage:

 mount_ewf.py [options] <filename(s)> <mountpoint>

Note: This utility allows EWF files to be mounted as a filesystem containing a flat disk image. <filename> can be any segment of the EWF file. To be identified, all files need to be in the same directory, have the same root file name, and have the same first character of file extension. Alternatively, multiple filenames can be specified in different locations in the order to be reassembled.

ewf segment filename(s) required.

To test mount_ewf without creating an Expert Witness formatted image, we can use the image provided by Lance Mueller for his first forensic practical [4].

[email protected]:~/images$ mount_ewf.py WinXP2.E01 ~/mount_points/ewf/

Using libewf-20100226. Tested with libewf-20080501.

[email protected]:~/images$ ls -lath /home/user/mount_points/ewf/

total 2.0G

drwxr-xr-x 5 user user 4.0K 2010-08-20 23:52 ..

dr-xr-xr-x 2 root root  0 1969-12-31 16:00 .

-r--r--r-- 1 root root 2.0G 1969-12-31 16:00 WinXP2

-r--r--r-- 1 root root 293 1969-12-31 16:00 WinXP2.txt

The text file listed is the case metadata. The other file is the raw image.

[email protected]:~/images$ cat /home/user/mount_points/ewf/WinXP2.txt

# Description: WinXP

# Case number: Case 1

# Examiner name: Mueller

# Evidence number: WinXP

# Acquiry date: 2008-01-17T17:05:46

# System date: 2008-01-17T17:05:46

# Operating system used: Vista

# Software version used: 6.8

ce2211114a461a96bb2c4409b272dbee */home/user/mount_points/ewf/WinXP2

The last line of the text file is the MD5 hash of the content. We can verify this using the md5sum command.

[email protected]:~/images$ md5sum /home/user/mount_points/ewf/WinXP2

ce2211114a461a96bb2c4409b272dbee /home/user/mount_points/ewf/WinXP2

We can verify access to the raw content using the file command:

[email protected]:~/images$ file /home/user/mount_points/ewf/WinXP2

/home/user/mount_points/ewf/WinXP2: x86 boot sector, code offset 0x52, OEM-ID "NTFS ", sectors/cluster 4, reserved sectors 0, Media descriptor 0xf8, heads 128, hidden sectors 63, dos < 4.0 BootSector (0x80)