cybersecurity
Kali Linux
forensics
e01
ewfacquire
In digital forensics, preserving the integrity of evidence is essential. Creating a forensic image in .E01 format (Expert Witness Format) is a standard practice for cloning disks without altering them. In this article, you will learn step by step how to create a forensic image from Kali Linux using free tools and following best practices.
sudo privileges.E01 imagelibewf-tools (includes ewfacquire)Connect the suspect disk, open a terminal, and run:
1sudo fdisk -l
ewfacquire Toolewfacquire is a command-line tool that is part of the libewf-tools package. Its function is to create a forensic image in .E01 format (Expert Witness Format), widely used in digital investigations for its ability to include metadata, calculate hashes, compress data, and is broadly accepted in the forensic field.
1sudo apt update 2sudo apt install libewf-tools -y
Run the following command, replacing /dev/sdb with the correct disk name:
1sudo ewfacquire /dev/sdb
case-001evidence-01Hard drive extracted from suspect laptop/home/kali/evidence001.E01The tool will automatically calculate MD5 and SHA1 hashes.
When you make a forensic copy, it is vital to ensure it is an exact, bit-by-bit copy of the original disk. To verify this, we use hash functions like MD5 and SHA1. A hash is like a digital fingerprint of a file. It is a string of characters generated by a mathematical formula. If anything changes in the original data (even a single bit), the resulting hash changes completely.
For example, suppose the MD5 hash of an original disk is:
19e107d9d372bb6826bd81d3542a419d6
And the hash of the generated image is also:
19e107d9d372bb6826bd81d3542a419d6
This means the copy is exact. The image is valid and has not been altered. But if the hashes do not match, something went wrong. The image is not reliable as evidence. ewfacquire calculates these hashes automatically before and after copying the disk to ensure the integrity of the image.
Now that the topic of hashes is clear, let's continue with the last step.
You can verify the generated image like this:
1sudo ewfverify /home/kali/evidence001.E01
If the result is successful, your image is ready to be used in a forensic analysis.
Once the image is created and verified, you may want to explore its contents without modifying it. To do this, you need to mount the image. Mounting an image means making its contents visible in a system folder, as if you had physically connected the original disk. In other words, the .E01 image behaves like a real disk that you can explore.
This is especially useful in forensic analysis, as it allows you to browse files, copy evidence, and examine structures without altering the original image.
To mount the image, create a directory, mount the image, and then navigate through it.
1sudo mkdir /mnt/evidence #create a directory 2sudo ewfmount /home/kali/evidence001.E01 /mnt/evidence #this command mounts the image 3cd /mnt/evidence/ewf1 #navigate into the created directory 4ls
To unmount:
1sudo umount /mnt/evidence
Remember that it is recommended not to work directly on the original disk. It is also important to document the process (dates, hashes, names) and to use a write blocker if possible.
Creating a forensic image is not complicated, but it requires attention to detail. Doing it in Kali Linux, which provides powerful and free tools to securely acquire forensic images with tools like ewfacquire, maintaining the integrity and reliability of digital evidence, is a plus.