Acquiring E01 Images Using Linux Ubuntu 12.04

Carlos Cajigas MSc, EnCE, CFCE, CDFE, A+

When it comes to media acquisition using Linux, tools like Raptor and Paladin are hard

to beat. These tools are able to boot the computer and acquire the internal devices all while

write-blocking the devices. If a GUI acquisition tool for Linux is what you need then look no

further, Guymager is it. But if you want total control of the acquisition process the programs

contained in ewf-tools provide you just that, control.

Ewf-tools is a collection of tools for reading a writing ewf (expert witness format) files.

The expert witness format file, also known as the E01 file is a format owned by Guidance

Software containing a bitstream of an acquired disk, case information, checksums for every

block of 64 sectors, and a footer with an MD5 hash for the entire bitstream.

When you install ewf-tools you are given access to the following programs: ewfacquire,

ewfacquirestream, ewfexport, ewfinfo, and ewfverify. Ewfacquire and ewfacquirestream are

used for acquisition/imaging of devices. Ewfexport is used to export media data stored in the

E01 image. Ewfinfo shows the metadata stored in the image. And last, but not least, when

you need to verify your E01, ewfverify can do it. We will discuss ewfacquire, ewfinfo and

ewfverify. The Backtrack live DVD comes bundled with ewfacquire, but for the purposes of

this article I used an examination computer with Ubuntu 12.04 installed on it.

The goal:

The plan is to acquire/image a piece of media. We will use ewfinfo to look at the

metadata in the image, and lastly we use ewfverify to make sure that our image is valid and

matches the data contained in the media.

Installing the tools:

All of the tools that we will use are either included in Ubuntu by default, or can be

downloaded from the Ubuntu Software Center. The tools that we will need to accomplish the

task are md5sum and ewf-tools. Md5sum is included by default, so let's head over to the

Ubuntu Software Center for the other tool(s).

Click on the Dash Home circle, located on the top left of your screen, type in “software”

and click on the Ubuntu Software Center icon that will appear.

After the Ubuntu Software Center opens, you will see a search box on the top-right

corner of your screen. Type ewf-tools and click on the install button. You will be prompted for

your root password. Enter your root password and wait for the program to install.

Once ewf-tools is installed, close the Ubuntu Software Center. The next step is to

prepare a working folder for our files. Go to your desktop, right click on your desktop and

select “create new folder”, name it “Test”.

The Test:

For the procedures I will be using a 256MB Flash Drive. I chose a smaller device so

that we can complete the procedures in less time. The procedures should be the same

regardless of the size of the media that you are acquiring. Also, it should not matter what

data is contained in your media. The only thing that matters is that when we are done

acquiring and validating the image, your media and image should have matching md5's.

I connected the drive to a previously validated usb hardware write-blocker and then

connected the write blocker to a usb port on my examination computer.

If you do not have a write-blocker handy, you do not have to use one, just remember to

never connect evidence media to a computer without the use of a previously validated write-

blocking procedure.

Make sure your test media is inserted into the computer and open a Terminal Window.

In Ubuntu you can accomplish this by pressing Ctrl-Alt-T at the same time or by going to the

Dash Home and typing in “terminal.”

Once the terminal window is open, Type the following into the terminal to determine

which letter Ubuntu assigned to the test media.

sudo fdisk -l

Fdisk is a partition table manipulator for Linux. The flag -l tells fdisk to list the partition

table. Sudo gives fdisk superuser privileges for the operation. Press enter and type your root

password (if needed)

Ubuntu assigned the test media as SDB. SDB1 is the partition currently stored on the

media. Now that we know the media's drive assignment, type the following into the terminal

to conduct and MD5 sum of the media.

sudo md5sum /dev/sdb

Depending on the size of your media, the md5sum may take minutes or hours. It only

took two minutes to receive results for my 256MB drive. These are my results.

The MD5 of the media is 2d0dc508fe22d4e54a09d53a73ea99cb. Take a moment to

write it down or copy it to a txt file inside of the Test folder on your Desktop. Save the MD5 in

case you have to refer back to it at a later time. I went ahead and copied it to the Test folder

into a txt file named 256MbImage.MD5.txt.

Now navigate to the previously created Test folder on the desktop. We will use the CD

command to change directory into the desktop. Type the following into the terminal.

cd /home/carlos/Desktop/Test/

Replace “carlos” with the name of the user account you are currently logged on as.

After doing so, press enter.

carlos@XPS-M1330:~$ cd /home/carlos/Desktop/Test/

carlos@XPS-M1330:~/Desktop/Test$

The dollar sign after Test indicates that “Test” is your current directory, exactly what we

wanted. The command pwd prints the path of current directory. Type pwd and press enter.

Sweep and copy the path of your directory. We will be pasting this path into ewfacquire so

that we can direct the acquisition to the Test folder.

carlos@XPS-M1330:~/Desktop/Test$ pwd

/home/carlos/Desktop/Test

carlos@XPS-M1330:~/Desktop/Test$

Now it's time to call ewfacquire. Type the following into the terminal to point

ewfacquire to the physical media that we intend to acquire. Press enter and type your root

password (if needed).

sudo ewfacquire /dev/sdb

Ewfacquire opens and immediately asks you for a path to store the image. This is

where you will paste the path to the Desktop plus an image filename

(/home/carlos/Desktop/Test//256MbImage).

After pressing enter, you will be allowed to enter the case number, description,

evidence number, examiner name, and notes. You will be allowed to type the information into

these fields one at a time, pressing enter to fill in the following field. If you make a mistake,

press “ctrl” and “c” at the same time to exit the acquisition and start again.

The next set of options are media type, media characteristics, compression, EWF file

format, start to acquire at offset, the amount of bytes to acquire, evidence segment file size in

bytes, the amount of bytes per sector, the amount of sectors to read at once, the amount of

sectors to be used as error granularity, the amount of retries when a read error occurs, and

wipe sectors on read error.

Ewfacquire offers defaults for each one of these options. Here is where you can

decide to change the defaults or leave them. I only changed, “media characteristics” from

logical to physical and “use compression” from none to best. I changed these options by

typing in the words “physical” and “best.”

Ewfacquire will give you one last chance to see the acquiry parameters provided,

followed by, continue acquiry with these values (yes, no) [yes]: Yes is the default. Simply

press enter and the acquisition will begin.

When the imaging is complete, ewfaquire will provide you with the MD5 hash that was

calculated over the test media:

Notice, the MD5 matches the MD5 that we previously conducted over test media

/dev/sdb.

Now type “ls -lh” into the terminal and press enter, to see if the acquired image is in the

Test folder. LS is the list files command. The flag -l uses a long listing format, and the flag -h

prints the file's size in human readable format.

Yes, we have an E01 image inside of the test folder. My image compressed down to

462KB.

Now lets use ewfinfo to look at the metadata inside of the E01. Type the following into

the terminal followed by enter.

ewfinfo 256MbImage.E01

Ewfinfo prints the metadata contained inside of the E01.

Now lets use ewfverify to verify the integrity of the image and to compare the contents

of the image to the data on the test media. Type the following into the terminal followed by

enter.

ewfverify 256MbImage.E01

Ewfverify Success! We have matching MD5's. The acquisition and verification were

successful.

Conclusion:

These tools when used separately, give you complete control of the imaging and

verification of your acquired images.

If these procedures worked for your case, and you are able to use them in the course

of your investigation, we would like to hear from you. Please post your comments or email

the author of this article carlos@epyxforensics.com.