How to update ewf-tools on Kali Linux - Eliminate the "No sub system to mount EWF format." error.


Expert Witness Compression (EWF) files are a type of disk image, i.e., files that contain the contents and structure of an entire data storage device, a disk volume, or (in some cases) a computer's physical memory (RAM).  They are used heavily in forensics and typically created from tools such as Encase or FTK.

The ewf-tools suite (libewf) is used on Linux to work with EWF files. The following are available when installed:

  • ewfacquire
  • ewfdebug
  • ewfinfo
  • ewfrecover
  • ewfacquirestream
  • ewfexport
  • ewfmount
  • ewfverify

Unfortunately the version installed on Kali as of March 2018 is extremely out dated (2014). 

Every time an attempt to mount an E01 file is made, the dreaded  "No sub system to mount EWF format." message pops up.

Below should work:

  • sudo mkdir /mnt/ewf1
  • sudo ewfmount FORENSIC_IMAGE.E01 /mnt/ewf1
  • After about a minute the error "No subsystem to mount EWF format" pops up.

How to update ewf-tools

The following worked consistently for us in testing.  Start by upgrade to the latest version of kali-rolling, uninstall ewf-tools, then manually install the new package.


NOTE: We recommend taking a backup of your system/snapshot of your VM prior to the upgrade process.

Step 1)  Update Kali & Remove ewf-tools

Ensure your /etc/apt/sources.list has kali-rolling.

  • deb kali-rolling main non-free contrib

Run the following commands:


  • apt-get update
  • apt-get upgrade
  • apt-get dist-upgrade
  • apt-get remove ewf-tools


Step 2) Download the latest version of the libewf library (ewf-tools included)

Step 3) Install miscellaneous libraries

  • apt-get install libfuse-dev
  • apt-get install fuse-dbg
  • apt-get install libfuse2
  • apt-get install uuid-dev
  • apt-get install lbzip2
  • apt-get install python-wchartype

Step 4) Unzip the package

  • unzip
  • cd libewf-master/

Step 5 ) Build & Install the new package

Note: The scripts will sync the libraries.  The script will create the configure script.  After running the configure script, 

  • ./
  • ./
  • ./
  • ./
  • ./
  • ./configure

Output for configure:
libcerror support: yes
libcthreads support: yes
libcdata support: yes
libcdatetime support: yes
libclocale support: yes
libcnotify support: yes
libcsplit support: yes
libuna support: yes
libcfile support: yes
libcpath support: yes
libbfio support: yes
libfcache support: yes
libfdata support: yes
libfguid support: yes
libfvalue support: yes
ADLER32 checksum support: zlib
DEFLATE compression support: zlib
BZIP2 compression support: no
libhmac support: yes
MD5 support: libhmac
SHA1 support: libhmac
SHA256 support: libhmac
libcaes support: yes
AES support: libcaes
libodraw support: yes
libsmdev support: yes
libsmraw support: yes
GUID/UUID support: libuuid
FUSE support: libfuse

Multi-threading support: libcthreads
Wide character type support: no
ewftools are build as static executables: no
Python (pyewf) support: no
Python version 2 (pyewf) support: no
Python version 3 (pyewf) support: no
Verbose output: no
Debug output: no

  • ./make
  • ./make install

Now running ewfmount command on the .E01 file does not throw the error.  Running the mount command shows that it successfully mounted.

  • mount | grep -i e01
  • /dev/fuse on /mnt/e01 type fuse  (rw,nosuid,nodev,relatime,user_id=0,group_id=0)

We hope this helps.  Good luck!