You have an E01 image with more than one NTFS partition and you want to mount all the partitions. You will have to treat the each partition independently, and mount them separately. My advice is to first, mount the main partition (the C:/ partition), and then mount the rest according to your needs. My tutorial is for an image with two NTFS partitions. If you are dealing with three, four or more partitions you can follow the same steps, just make sure you create different mountpoints.
Mounting
1. Create a ewf mountpoint for the second partition:
sudo mkdir /mnt/ewf1
2. Mount the E01 image
sudo ewfmount /path/to/Windows.E01 /mnt/ewf1
3. Check that the image mounted correctly (it should return /mnt/ewf1/ewf1)
sudo ls -la /mnt/ewf1
4. Look at the partition table to identify the starting offset of the second partition of interest
sudo mmls /mnt/ewf1/ewf1
This image has three partitions: the main “C:/” partition (in blue), another NTFS partition (in pink) and a Linux partition (in yellow).
The C:/ partition starts at offset 1126400 and the second partition starts at offset 67106816. Here, we are interested in the second partition (in pink).
5. Create a mount point for the second partition
sudo mkdir /mnt/Windows1
6. Mount the partition
sudo mount -t ntfs-3g -o loop,ro,show_sys_files,stream_interface=windows,offset=$((67106816*512)) /mnt/ewf1/ewf1 /mnt/Windows1
7. Check that all is mounted correctly
sudo ls -la /mnt/Windows1
Unmounting
1. Unmount the second Windows mount point
sudo umount /mnt/Windows1
2. Unmount the E01 image
sudo umount /mnt/ewf1
TLDR
– Create a second mountpoint for E01 image
– Mount it with libewf
– Use sleuthkit to identify offset & mount
