unblob icon indicating copy to clipboard operation
unblob copied to clipboard

Published 20 hours ago verified publisher icon onekey-sec

Add support for EWF / E01 disk image format

Open jgrover opened this issue 3 years ago • 1 comments

This is a common disk image format found in the digital forensics domain. Would bring a whole new set of users for unblob if this were added.

jgrover avatar Aug 14 '22 23:08 jgrover

Standard reference documented here: https://github.com/libyal/libewf/blob/main/documentation/Expert%20Witness%20Compression%20Format%20(EWF).asciidoc

Format is made of segments containing sections. We can get to the end offset by browsing through sections.

I didn't find third party extractors so far. What we could do is use ewfexport to translate from ewf to raw data and get other handlers (e.g. extfs, ntfs) pick up chunks from raw.

qkaiser avatar Aug 15 '22 14:08 qkaiser