[*] -
SecureInfo.eu,
/System/EW filesystem.md
/System/EW filesystem.md /System/EW filesystem.mdExamine the metadata associated with the E01 by running ewfinfo
ewfinfo your_image.e01Let’s create a mount point that we’ll use to mount the E01 as a raw device
mkdir -p /mnt/ewf_mountNow, mount the E01 forensic image to a new raw device
ewfmount your_image.e01 /mnt/ewf_mountA successful mount operation will provide a very minimal output such as “ewfmount 20140812”
You will now have a stream-decompressed raw device at /mnt/ewf_mount/ewf1 :
ls -alh /mnt/ewf_mountCreate a new mount point for the logical mount we’re about to perform, and then mount the device to the new logical mount point.
mkdir -p /mnt/logical_mount
mount -o ro,show_sys_files,streams_interface=windows \
/mnt/ewf_mount/ewf1 /mnt/logical_mountPro Tip: create a bash alias that simplifies this mount command for the future, allowing you to replace it with simply mountwin — you must reload bash for it to take effect.
echo “alias mountwin='mount -o ro,show_sys_files,streams_interface=windows'“ >> ~/.bash_aliasesNow, change directory into the logical mount point, and examine the file system!
cd /mnt/logical_mount
ls -alh