Background
Expert Witness Compression (EWF) files are a type of disk image, i.e., files that contain the contents and structure of an entire data storage device, a disk volume, or (in some cases) a computer's physical memory (RAM). They are used heavily in forensics and typically created from tools such as Encase or FTK.
The ewf-tools suite (libewf) is used on Linux to work with EWF files. The following are available when installed:
- ewfacquire
- ewfdebug
- ewfinfo
- ewfrecover
- ewfacquirestream
- ewfexport
- ewfmount
- ewfverify
Unfortunately the version installed on Kali as of March 2018 is extremely out dated (2014).
Every time an attempt to mount an E01 file is made, the dreaded "No sub system to mount EWF format." message pops up.
Below should work:
- sudo mkdir /mnt/ewf1
- sudo ewfmount FORENSIC_IMAGE.E01 /mnt/ewf1
- After about a minute the error "No subsystem to mount EWF format" pops up.
How to update ewf-tools
The following worked consistently for us in testing. Start by upgrade to the latest version of kali-rolling, uninstall ewf-tools, then manually install the new package.
NOTE: We recommend taking a backup of your system/snapshot of your VM prior to the upgrade process.
Step 1) Update Kali & Remove ewf-tools
Ensure your /etc/apt/sources.list has kali-rolling.
- deb http://http.kali.org/kali kali-rolling main non-free contrib
Run the following commands:
- apt-get update
- apt-get upgrade
- apt-get dist-upgrade
- apt-get remove ewf-tools
Step 2) Download the latest version of the libewf library (ewf-tools included)
https://github.com/libyal/libewf
Step 3) Install miscellaneous libraries
- apt-get install libfuse-dev
- apt-get install fuse-dbg
- apt-get install libfuse2
- apt-get install uuid-dev
- apt-get install lbzip2
- apt-get install python-wchartype
Step 4) Unzip the package
- unzip libewf-master.zip
- cd libewf-master/
Step 5 ) Build & Install the new package
Note: The scripts will sync the libraries. The autogen.sh script will create the configure script. After running the configure script,
- ./synclibs.sh
- ./syncsharedlibs.sh
- ./syntestdata.sh
- ./runtests.sh
- ./autogen.sh
- ./configure
Output for configure:
Building:
libcerror support: yes
libcthreads support: yes
libcdata support: yes
libcdatetime support: yes
libclocale support: yes
libcnotify support: yes
libcsplit support: yes
libuna support: yes
libcfile support: yes
libcpath support: yes
libbfio support: yes
libfcache support: yes
libfdata support: yes
libfguid support: yes
libfvalue support: yes
ADLER32 checksum support: zlib
DEFLATE compression support: zlib
BZIP2 compression support: no
libhmac support: yes
MD5 support: libhmac
SHA1 support: libhmac
SHA256 support: libhmac
libcaes support: yes
AES support: libcaes
libodraw support: yes
libsmdev support: yes
libsmraw support: yes
GUID/UUID support: libuuid
FUSE support: libfuse
Features:
Multi-threading support: libcthreads
Wide character type support: no
ewftools are build as static executables: no
Python (pyewf) support: no
Python version 2 (pyewf) support: no
Python version 3 (pyewf) support: no
Verbose output: no
Debug output: no
Now running ewfmount command on the .E01 file does not throw the error. Running the mount command shows that it successfully mounted.
- mount | grep -i e01
- /dev/fuse on /mnt/e01 type fuse (rw,nosuid,nodev,relatime,user_id=0,group_id=0)
We hope this helps. Good luck!
How to update ewf-tools on Kali Linux - Eliminate the "No sub system to mount EWF format." error.
Background
Expert Witness Compression (EWF) files are a type of disk image, i.e., files that contain the contents and structure of an entire data storage device, a disk volume, or (in some cases) a computer's physical memory (RAM). They are used heavily in forensics and typically created from tools such as Encase or FTK.
The ewf-tools suite (libewf) is used on Linux to work with EWF files. The following are available when installed:
Unfortunately the version installed on Kali as of March 2018 is extremely out dated (2014).
Every time an attempt to mount an E01 file is made, the dreaded "No sub system to mount EWF format." message pops up.
Below should work:
How to update ewf-tools
The following worked consistently for us in testing. Start by upgrade to the latest version of kali-rolling, uninstall ewf-tools, then manually install the new package.NOTE: We recommend taking a backup of your system/snapshot of your VM prior to the upgrade process.
Step 1) Update Kali & Remove ewf-tools
Ensure your /etc/apt/sources.list has kali-rolling.
Run the following commands:
Step 2) Download the latest version of the libewf library (ewf-tools included)
https://github.com/libyal/libewf
Step 3) Install miscellaneous libraries
Step 4) Unzip the package
Step 5 ) Build & Install the new package
Note: The scripts will sync the libraries. The autogen.sh script will create the configure script. After running the configure script,
Output for configure:
Building:
libcerror support: yes
libcthreads support: yes
libcdata support: yes
libcdatetime support: yes
libclocale support: yes
libcnotify support: yes
libcsplit support: yes
libuna support: yes
libcfile support: yes
libcpath support: yes
libbfio support: yes
libfcache support: yes
libfdata support: yes
libfguid support: yes
libfvalue support: yes
ADLER32 checksum support: zlib
DEFLATE compression support: zlib
BZIP2 compression support: no
libhmac support: yes
MD5 support: libhmac
SHA1 support: libhmac
SHA256 support: libhmac
libcaes support: yes
AES support: libcaes
libodraw support: yes
libsmdev support: yes
libsmraw support: yes
GUID/UUID support: libuuid
FUSE support: libfuse
Features:
Multi-threading support: libcthreads
Wide character type support: no
ewftools are build as static executables: no
Python (pyewf) support: no
Python version 2 (pyewf) support: no
Python version 3 (pyewf) support: no
Verbose output: no
Debug output: no
Now running ewfmount command on the .E01 file does not throw the error. Running the mount command shows that it successfully mounted.
We hope this helps. Good luck!