With ewfmount, anything is possible! Mounting a Linux partition to a Linux system is similar to mounting an APFS image. To access some parts of the partition, during your examination, you will need sudo privileges. Otherwise, everything is as usual.
Mounting
1. Create a ewf mountpoint:
sudo mkdir /mnt/ewf
2. Mount the E01 image:
sudo ewfmount /path/to/image.E01 /mnt/ewfmount
3. Check that the image mounted correctly
It should return /mnt/ewf/ewf1
sudo ls -la /mnt/ewf
4. Look at the partition table to identify the starting offset of the partition of interest
sudo mmls /mnt/ewf/ewf1
In this example, the image has three partitions: the main “C:/” partition (in blue), another NTFS partition (in pink) and a Linux partition (in yellow). The Linux partition starts at offset 75560960. To mount it, you will have to multiply the offset by 512.
5. Create a mount point for the second Linux Partition
sudo mkdir /mnt/Linux
6. Check for available loop devices:
df -h
This is an output example I took from here, the user is on Ubuntu 20.04:
As you can see, the biggest “loop” is loop4. The user above would mount the partition to /dev/loop5, because all other /dev/loop (below 5) are being used. If you have no /dev/loop showing up, then you can mount it to /dev/loop1.
7. Mount the partition as a loop device:
sudo losetup -r -o (offset*512) /dev/loop(yournumber) /mnt/ewf/ewf1
8. Mount the partition as a logical drive
sudo mount -o ro,noload /dev/loop(yournumber) /mnt/Linux
9. Check that all is mounted correctly
ls -la /mnt/Linux
Unmounting
1. Unmount the Linux Partition
sudo umount /mnt/Linux
2. Unmount the E01 image
sudo umount /mnt/ewf
TLDR
– There are many different ways to mount Linux partitions.
– Mount E01 with libewf.
– Mount as loop device
– Mount the filesystem
