forensicskween

How to mount Windows E01 images in Linux

A simple guide on how to mount NTFS/Windows Partitions from E01 images in Linux.

Mounting

1. Create mountpoint for E01 image

				
					mkdir /mnt/ewf

2. Mount the E01 image

				
					sudo ewfmount /path/to/your/Windows.E01 /mnt/ewf

3. Check that the image mounted correctly (it should return /mnt/ewf/ewf1)

				
					sudo ls -la /mnt/ewf

4. Look at the partition table to identify the starting offset of the partition of interest

				
					sudo mmls /mnt/ewf/ewf1




In this example, our partition of interest is the one starting with 1126400.

5. Create a mount point for the NTFS Partition

				
					sudo mkdir /mnt/Windows

6. Mount the partition

				
					sudo mount -t ntfs-3g -o loop,ro,show_sys_files,stream_interface=windows,offset=$((1126400*512)) /mnt/ewf/ewf1 /mnt/Windows

7. Check that all is mounted correctly

 

				
					sudo ls -la /mnt/Windows

Unmounting

1. Unmount the Windows mount point

				
					sudo umount /mnt/Windows

2. Unmount the E01 image

				
					sudo umount /mnt/ewf

TLDR

– Use libewf to mount the image

– Use sleuthkit to identify offset of partition & mount it

Twitter Github Discord

Recent Posts

Follow Us

Featured Video

Guide

forensicskween

1 thought on “How to mount Windows E01 images in Linux”

  1. Pingback: Windows Forensics - CyberDefenders x DFA2020 CTF

Leave a ReplyCancel reply

Twitter
Reddit
Facebook
••• You Might Also Enjoy

Socials

Twitter Github

Copyright © 2022 forensicskween

Discover more from forensicskween

Subscribe now to keep reading and get access to the full archive.

Continue reading

Exit mobile version
%%footer%%