 Welcome back everyone today. We're going to talk about how to acquire a disk image using EWF acquire in Linux Now the goal of EWF acquire is usually to make Expert witness format images or easy row one. So the easy row one file format is really common Format that a lot of tools and a lot of investigators use It does have some built-in Consistency checking mechanisms check sums within the actual file itself So it is pretty useful and a lot of investigators or even a lot of police officers or even Judges or courts often want The disk images to be an easy row one format Yeah, so basically today I'm gonna show you how to collect an easy row one file from command line using the tool EWF acquire In Ubuntu or any other Linux distribution that supports it, okay? So the first thing we need to do is install it and in Ubuntu And I believe in Debian you can install EWF tools so we can do pseudo apt get or apt install EWF dash tools pseudo apt install EWF To dash tools and then it should go out and download everything for us Okay, so now we have the newest version. We can also build from source. I'm just gonna use the tools from From the package manager right now. We can see that it's installing EWF tools 2014 0608 I'm sure that there's actually a newer version But I'm just gonna show you from the Repository right now because it's fairly easy fairly straightforward to do so once we install EWF tools You can type EWF and then do tab and you can see a couple Utilities that are included in the EWF tools packages. So EWF acquire is what we're gonna focus on today EWF acquire stream is pretty much what it sounds like you can make a stream and send it to EWF EWF acquire stream and it will Convert it to whatever format. You're trying to save to EWF debug EW export info Mount I may also show you how to use at a later date. It's also quite useful EWF info Shows you about the disk image. It's also pretty handy EWF recover and verify verify obviously checks the checksum or the the hash value that's actually inside the disk image so Expert witness format files are not like raw disk images raw disk images are just a bit by bit copy only Whereas expert witness files actually have a little bit of a data structure They add some extra information in the disk image in the form of a header And a footer and then some checksums in between data segments. So Yeah, there's actually just a couple more features in some ways this makes it a little bit Better than a raw disk image because we can actually figure out which data segment has changed if some data does change If you just have a raw disk image Unless you have hash values of each piece or each section of the the raw disk image You won't know which section has been modified if there is data that changed Of course in digital forensics. We hope that none of this data changes, but it's always a possibility. So EWF formats Kind of supports checking or doing some other verification within data segments itself So what we want to do right now is a choir and image using EWF a choir So we've already installed EWF tools. We want to use EWF a choir to Copy a disk image. Okay now EWF a choir comes with a lot of Options it's really powerful tool. I'll just go through the main options right now and we can image a disk So the first thing we need to do is List the disks that we might want to image. So the disks that are installed in this system There's a couple ways I can do that the normal or a very common way I guess I should say in Linux to list your disks From command line is to do sudo f disk f disk Dash L and that will list all of the disks using the f disk Utility the problem with f disk is that you do have to use sudo to run it to get access and then whenever we look through here Let me see if I can quickly find the disk I want. So basically I want to image this 3.8 gigabyte Just a USB stick in my system. I can see that it is assigned As dev SdE. So this is the physical disk indicator in Linux It's 3.8 gigabyte. So I know that's the one that I want We can see the sector size which might be interesting to us later and we can see that it has here basically two Kind of like partitions basically so SdE one would be logical disc one and SdE two would be logical disc two Logical disc two is formatted as it looks like fat probably 32 So we get a little bit of information here But what I really am interested because I want to make a physical disk image not a logical disk image I want to acquire the entire USB stick not just a partition on the USB stick. So then I need to focus on Dev SdE, which is the indicator or the kind of the address for the physical disk Okay, so dev SdE And then dev SdE one and two I'm not going to worry about too much because whenever we collect the data We're also going to be collecting those partitions. Okay So now that I know that it's dev SdE just really quickly another way to list your disks without Having access to root or pseudo is LS BLK So LS list and BLK is block and then that will tell us the Block devices that are available and I hope it lists it here Yeah, so here we get a little bit more information where it's mounted at so I have this SdD basically all of these other ones are built into my system or their external drives I'm interested in SdE with SdE one and two and we can see that SdE one is Mounted as Linux Mint. This is the volume label actually for this. Okay, and where it's mounted on Right, so now we know Dev SdE is the disk that I'm into it interested in we can list the disk with either LS block or LS BLK or pseudo F disk dash L. Okay, so now I'm gonna clear I'm gonna clear that out Now we want to use EWF acquire and I think I have to use pseudo so I'm gonna go ahead and do it pseudo EWF a EWF acquire pseudo EWF acquire and then I want to give it the device that I want to image now If I just do pseudo EWF acquire, it will give me a long list of all of the options that I can put in with EWF acquire and This makes the tool really flexible basically Now it also has kind of a menu. So if you don't fill all of these All of the required values in then it will ask you for all of the required values So I won't go through all of these right now, but there is a help menu. Just run EWF acquire Without any any extra commands and it will show you the help menu. Okay, but for now we're going to do pseudo EWF acquire and I'm gonna give it Slash dev slash sd e now this is the disc that I want to image. This is our target disc So dev sd e Okay, and then it's now saying okay, we found it the bus type is USB. That's correct The vendor is SMI model USB disc. Okay serial number. Okay So all of this we would want to record in our documentation So I've already started I've identified I've you know, plug the disc into a right blocker The right blocker is plugged into my system. It identified as dev sd e EWF acquire recognized the the disc and it gives me this information So I want to make sure I document that now So storage media information type device media type removable media size 4 gig and bytes per sector 512. Okay So now the image path and file name without Extension so I'm actually right now in the media Joshua storage temp folder. So I'm gonna copy that I've already pre set up pre planned out where I want to store everything I'm gonna put it this time in the temp folder that I'm already in and I need to give it the disc image name. So I'm currently in this Storage slash temp folder. So temp is a directory name. Then I want to give it another An actual file name so in this case I would need to give it something relevant to to the disc itself, so let's say it's a kind of a Let's say 2017 to give it a date. It's a USB it's gold and On the disc it actually says for gig. So I'm gonna name this 2017 USB gold for gig. I need to be able to identify, you know, with a physical device With just an image name. So some some way to tie this together You could also include for example the case number. Whoops So I could call it, you know 4g and then maybe the case number is zero zero one something like that So I would usually have, you know, like case number Date and then some sort of identifier and the type of drive and then if I know the size the size as well Okay, so something like that think about a File name that lets you understand very quickly what the image is. Don't make it a generic file name. Otherwise You you might get disc images confused between cases. For example, I would never in a real case Put this in a temp folder. I would always put it in a special case folder dedicated to that individual case. Okay Right, so next to hit enter and then we've set the image path now with the case number itself and this information So the first thing it's asking us for is where are we actually gonna save the data to so I'm saving the data to my computer Now it's asking for the case number and this information is case Metadata that will be stored inside the expert witness format header So basically the beginning of the disk image will have all of this extra metadata that we're entering now So I'm gonna give it a case number of zero zero one Description like I said gold four gig USB from, you know case I don't know murder something like that. Okay Evidence number so in this case, this is my first piece of this is my first exhibit So I'm gonna give it an exhibit number of zero zero one and then examine her name Joshua You should put your full name by the way any extra notes. So again, you know, if this was related whatever I knew about this This device I would have that information in my documentation But I would also usually give some notes as an indicator not very Very long notes, but at least some notes to kind of give some indication about what I know The media type. This is a USB stick. So it's removable Media characteristics logical or physical now remember I Said we wanted to do a physical disk image. So we want to do physical Use EWF file format so we can choose here EWF, which is the expert witness format Smart, which is a different format that I think is mostly used just in the US if it's even used anymore. I don't really know FTK formats Basically they have their own format that also supports encryption. So I think EWF and FTK both support Compression and encryption and then the different versions of in case linen And by default it's using in case six. So we're just gonna keep the default for now Compression method Deflate I'm just gonna choose deflate and then compression level. I'm gonna choose fast Compression is a pretty handy feature. I think that's why most people Prefer to use these types of formats rather than raw because raw again like bit by bit copy It means that if you have a one terabyte hard drive, you have to copy one terabyte In this case, we're copying all of the data, but we're also compressing it So here we're gonna do fast compression. So hopefully it's pretty quick Start to acquire At offset so you can also set the offset in the disk where you actually want to acquire at And this is very similar to using DD. So in DD you can also say You know, where do you want to start? How much data do you want to copy? So this is a pretty handy feature as well to be able to set the Offset to acquire. I'm just gonna start at the I'm gonna copy the entire disk So I'm gonna start at zero and end at the end and Evidence segments evidence segment size defaults to 1.4 gigabytes and we are going to say Let's do 10 10 gigabits, okay Number of sectors 512 Number of sectors to read at once. Let's do 64 just defaults Sectors to use error granularity Let's do yeah default again retries whenever an error occurs So basically from 0 to 255 Default is to will set it at that if you set the error retries really high then imaging will take a very long time But you might all you might be more likely to get the data, but it will take a lot longer Wipe sectors on read area. So in this case If there's a read area, what do we actually want to do with those sectors? Do we skip them? Do we do we default to zero? Do we default to one and in this case? It's mimic in case like behavior So we are just gonna accept the default and do no And then this gives us a so zero sectors on read error. We're doing no And this gives us kind of an overview of our entire disk continue Acquisition with these values just hit yes and then It should start going okay, so now it's copying and it will give you the status menu the entire time So we started looks like a 730 to acquire and then One of what this is done. I'll come back and and talk a little bit more about the resulting files Okay, so now that the data is finished copying we can see that we got All of the all of the data how long it took But the average copy rate and then MD5 hash calculated over all of the data Which will be stored in the expert witness format footer if we look let me get the data here real quickly if we look we have a Single image because I set the split size to be 10 gigabytes and this was only a 4 gigabyte image So with now we have a 4 gigabyte e01 image or expert witness format image that we can load up into basically any Forensic tool because most forensic tools support the expert witness format. So It's pretty easy to use EWF acquire to To analyze that are sorry to collect the data Just while we're here We will also use EWF So in the folder. I have the image that I've just collected. I'm going to use EWF verify Against the disk image. Let's let's run it with without any commands first. So it also has Basically the same or some Extra options you can use I'm just going to take the defaults because it's just going to treat it like a normal e01 image So let's do EWF Verify I probably have to be pseudo. I have to be pseudo because the I don't have access to the image because I copied it as pseudo. So the first thing I need to do is probably change the Permissions on the file, but we can do see that pseudo EWF verify and then the image file that we just copied hit enter and then now it's going through and Rehashing everything so it takes the hash value from the footer It hashes every all of the data again and then compares it and we get a success Okay, so that's how to use EWF acquire and EWF verify from Linux command line. Thank you very much If you like this video, please subscribe for more