 Welcome back everyone. Today we're going to talk about EWF mount, which basically takes an E01 or an expert witness format file and mounts it so you can access it with basically other tools that don't normally support the E01 file format. So imagine that you want to use some new tool or a Python script that parses images or tags information or maybe does some sort of artificial intelligence kind of algorithm over some of the data, but your script doesn't actually support the E01 or expert witness format format. In this case you can mount the image and treat it just like a normally mounted hard drive. So you can access partitions, you can access all of the information in it. If your operating system understands the file system that's installed, you can even mount the partitions and interact with the partitions directly. So I'm going to show you how to do basic mounting and interaction with the first image. So here we have, I already have one disk image created. This is a 4 gigabyte USB stick that we created an expert witness format image for, saved it as an E01 file. We used EWF acquire to image it. There's another video about that. And today we want to first verify that the disk image is okay. So we can do that by using the tool EWF actually first. I should tell you, if you haven't already installed it, you can install the tools directly from Ubuntu's package manager. So you can do sudo apt install EWF tools and that will install the tools. I already have them installed. Then whenever you have EWF tools installed, you can type EWF and then tab twice and you see some of the tools that are included. And we've already talked about EWF acquire. EWF acquire stream basically does the same thing as EWF acquire. Today we're going to talk about EWF info and EWF verify and EWF mount. So I'm going to use these three tools. So first, let's say I don't really know anything about this disk image, we can do EWF info and then the disk image, the file name of the disk image, hit enter on the command line. And then we have basically the information that was entered by the acquisition technician. So here we have the case number, almost all of this except for example the acquisition date and the serial number. Most of this was entered by us. When we first started to make the disk image, EWF acquire asked us a lot of questions and these questions are saved in the file header for the expert witness format. And then that's where most of that information comes from. The type of file, so this is an NK6 type file format. It's using a fast compression, media information, the size of the disk and then what we're really interested in is the MD5 hash. So this hash value is the hash over the original data and that's what we want to verify is the same to make sure that our disk image hasn't been modified anyway before we actually start to analyze it. So that was EWF info. So now we can use EWF verify and then the name of the disk image. And what this is going to do is check the footer, the footer of the image for the MD5 hash value that we saw in EWF info. It takes that hash value, it computes the hash value from the original data and then compares it with the image, the hash value that's saved in the footer. And if both the hash values are the same, then we are fairly confident that the data is also going to be the same. So the hash values are finished and we have our hash value stored in the footer here. We have the hash value calculated over the data here and they match. So we know that the image file has not been modified since the time that it was acquired. So now what we want to do is actually mount the disk image. So let's say we want to access it with a new tool we have but the tool doesn't support E01 images for some reason. So what we can do in Linux, the first thing I need to do is create a new directory to mount to. So I'm going to do sudo makedir slash mnt which is the mount folder and I'm going to make a directory called temp. So there's this mnt directory is usually created by default in most versions of Linux and then I have a temp folder that I'm going to make. So I hit that. Now I've created this folder using sudo. So this folder is going to be owned by the root user, the admin user, and all of the permissions are going to be for that admin user. So I want to change the permissions on this folder so that my user, I'm logged in as Joshua, so my user can actually access this folder. Notice we haven't done anything with the disk image yet, we're just preparing for it. So now I need to run, I want to change permissions, so I'm going to do sudo chown. I don't need to do at dash R, so sudo chown Joshua slash mnt slash temp. And what that's going to do is assign me as the owner of that folder. And then just to make sure I want to do sudo chmod, let's say 755 slash mnt slash temp and the seven is going to give me the owner full access to the folder. So now what I've done is I've given my user basically ownership of this folder and then I've changed the permissions. So that way at least my user has full access and then the group and everyone has a different type of access or more restricted access. Not that it really matters because I'm not sharing it online, this computer isn't even online, so it doesn't matter that much, but at least we need full access to be able to access the mounted image information. So now that we've done that, we're all prepared to, we have a mount point. So what we want to run is EWF mount, give it the disk image name. So I have EWF mount, the disk image name, and this is an E01 file. And then I want to give it the mount point or where the, basically the, I'm sorry, mnt temp. Okay. Hit enter. And then what you should see is EWF mount and then the version number of EWF mount that you're running and then basically an empty space. That is good. If you don't get an error, it's probably okay. We can check by running the mount command. And in my case, I'm going to look for temp because it's kind of a unique folder name. So mount pipe that to grep temp. So what we're doing here is the mount command lists all of the mounted devices in my computer. This is kind of an upward bracket. We call a pipe. So I'm piping the output of the mount command into grep, which is basically a search or filtering tool. And then I'm searching for the word temp. So any line that matches temp will be shown. So here if I run mount pipe grep temp, then this is the output from the mount command with my temp directory. So I know that it's mounted and it's dev fuse, which is a virtual file system or virtual, yeah, virtual mount point. Okay. So now what we can do is do CD slash mnt slash temp. So I'm going to move into that directory. So notice I've changed from media Joshua storage temp into mnn t slash temp. I'm just changing into a different directory. And if I look into that directory, we can do LS. So in that directory, you'll see some, you'll see a, you can treat it kind of like a file, basically a file called EWF one. Okay. Now what this is, is the actual disk image. So we've mounted the EWF container. And now inside that container, we have the actual image file of the disk that we imaged. Okay. So in this case, well, now I can basically run my tools on this. One thing that I might want to do is understand what partitions are available. Okay. Well, I have a favorite tool for, for finding partition information. And that is the sleuth kit sleuth kits, mmls command. So if you don't have sleuth kit installed, you can run pseudo apt install sleuth kit. And if you don't want to install it from the package manager, if you want a newer version, I also have a video on compiling the sleuth kit from command line. Once you install it though, you should have a tool called mmls. And then we want to do mmls EWF one. So what we're doing is feeding the disk image that's available into mmls. And it will give us the partition information. So here I can see the partition information for the disk that we imaged. And I can especially see the offset information. Now I can continue to use sleuth kit to analyze this disk, but I wouldn't really need to mount the disk to use sleuth kit on it. But what this does tell me is the offset information. So now I can mount this partition based on the offset information that I have, mount the partition and then interact with the files directly if my computer understands the file system on that partition. So now we have the partition information. We can basically do whatever we want depending on what tools we want to run against this. And the tool does not have to understand the expert witness format file type basically. So now we can access it just like a normal disk. So that's pretty much it for mounting. We already have everything mounted. Now we can start to interact with it. The next thing I will do is show you how to unmount. So right now I'm in the mount temp directory. So if I want to remove the mount, I need to get out of this directory because this is where our file is mounted. We'll have an error if we just unmount right now. So I'm going to move back one directory and I'm in the mount directory. If I do ls you can see that there's the temp folder and that's where we have our image mounted. So now I can just do sudo umount slash mnt slash temp. Before I do this I'm going to run the grep command again. So here we can see that it's mounted and then if I do sudo umount slash mnt slash temp. Then we run grep again to see if anything's mounted and we don't see anything. So now the image file itself has been unmounted and that's pretty much all there is to it. EWF mount is a really handy tool. Sometimes it's just easier to try to access the data directory directly. Again, if it's not a forensic tool that we're trying to use to analyze the data, sometimes this way is much easier. So I hope that was helpful. Thank you very much. Have a good day. If you liked this video please subscribe for more.