Mounting E01 images of physical disks in Linux Ubuntu 12.04
Carlos Cajigas MSc, EnCE, CFCE, CDFE, A+
The E01 image format, also known as the Expert Witness Format or the EnCaseImage Format is perhaps the de facto standard for forensic analysis. Is it a format owned byGuidance Software containing a bitstream of an acquired disk, case information, checksumsfor every block of 64 sectors, and a footer with an MD5 hash for the entire bitstream. TheE01 format allows for compression which lessens the number of image files generated duringthe acquisition process and saves space.If the E01 format is your preferred format for acquiring media, then you have noticedthat mounting the volumes contained in an E01 image always requires that one extraconversion step. In Linux, the program Xmount is the solution. Xmount allows you to converton-the-fly between multiple input and output hard disk image types. In other words, Xmountcan take an E01 and magically make it appear as a DD on the other end, all while maintainingthe integrity of the data.Xmount can also turn an E01 into a VDI (Virtual Box Disk), and redirect writes to acache file. This makes it for example, possible to use Virtual Box to boot an OperatingSystem contained in a read-only E01 image. Converting an E01 into a Virtual Machine isbeyond the scope of this article.Today we will discuss the steps required to convert an E01 into a DD, on-the-fly, andthen mounting the volume inside of the DD. For the purposes of this article I used anexamination computer with Ubuntu 12.04 installed on it.
The ultimate purpose of mounting the volume inside of the image is to make thevolume accessible to software. While forensic software can read an E01 directly, othersoftware might need access to the volume’s directory structure or files. For example, a virusscanner will need access to the entire directory structure, while a registry viewer will needdirect access to the registry hives themselves.