With ewfmount, anything is possible! Mounting a Linux partition to a Linux system is similar to mounting an APFS image. To access some parts of the partition, during your examination, you will need sudo privileges. Otherwise, everything is as usual.

Mounting #

Create a ewf mountpoint: #

sudo mkdir /mnt/ewf

Mount the E01 image: #

sudo ewfmount /path/to/image.E01 /mnt/ewfmount

Check that the image mounted correctly #

 
It should return /mnt/ewf/ewf1

sudo ls -la /mnt/ewf

Look at the partition table to identify the starting offset of the partition of interest #

sudo mmls /mnt/ewf/ewf1

In this example, the image has three partitions: the main “C:/” partition (in blue), another NTFS partition (in pink) and a Linux partition (in yellow). The Linux partition starts at offset 75560960. To mount it, you will have to multiply the offset by 512.

Create a mount point for the second Linux Partition #

sudo mkdir /mnt/Linux

Check for available loop devices: #

df -h

This is an output example I took from here, the user is on Ubuntu 20.04:

As you can see, the biggest “loop” is loop4. The user above would mount the partition to /dev/loop5, because all other /dev/loop (below 5) are being used. If you have no /dev/loop showing up, then you can mount it to /dev/loop1.

Mount the partition as a loop device: #

sudo losetup -r -o (offset*512) /dev/loop(yournumber) /mnt/ewf/ewf1

Mount the partition as a logical drive #

sudo mount -o ro,noload /dev/loop(yournumber) /mnt/Linux

Check that all is mounted correctly #

ls -la /mnt/Linux

Unmounting #

Unmount the Linux Partition #

sudo umount /mnt/Linux

Unmount the E01 image #

sudo umount /mnt/ewf