How to mount an Expert Witness Compression Format EWF file in Ubuntu

We will use ewfmount for mounting EWF file. ewfmount is part of ewf-tools. ewf-tools is collection of tools for reading and writing EWF files.

Install ewf-tools

$ sudo apt-get install ewf-tools

Create a directory for mounting image file

$ sudo mkdir -p /mnt/MalforensicsLab/Evidences/Case01/  

Change Folder Ownership currently logged in user

$ sudo chown Malforensics /mnt/MalforensicsLab/Evidences/Case01/

Mount Disk Image

$ ewfmount DISKIMAGEFILENAME.E01 /mnt/MalforensicsLab/Evidences/Case01/

You will find actual disk image file at /mnt/MalforensicsLab/Evidences/Case01/ewf1. Now you can use any other tool for mounting individual partition or do analysis.

For example to get offset and partition information, use mmls from sluethkit

Install sluethkit

$ sudo apt-get install sleuthkit

Get offset and partition information from disk image

$ mmls /mnt/MalforensicsLab/Evidences/Case01/ewf1

Once analysis is completed and you want to unmount Disk Image file, run

$ sudo umount /mnt/MalforensicsLab/Evidences/Case01/