From aldeid
Jump to navigation Jump to search
You are here:


Use ewfexport to export data from the EWF format (Expert Witness Compression Format) to raw data or another EWF format.


ewfexport [ -A codepage ] [ -b number_of_sectors ]
          [ -B number_of_bytes ] [ -c compression_values ]
          [ -d digest_type ] [ -f format ] [ -l log_filename ]
          [ -o offset ] [ -p process_buffer_size ]
          [ -S segment_file_size ] [ -t target ] [ -hqsuvVwx ] ewf_files


the first or the entire set of EWF segment files


codepage of header section, options: ascii (default), windows-874, windows-932, windows-936, windows-949, windows-950, windows-1250, windows-1251, windows-1252, windows-1253, windows-1254, windows-1255, windows-1256, windows-1257 or windows-1258
specify the number of sectors to read at once (per chunk), options: 16, 32, 64 (default), 128, 256, 512, 1024, 2048, 4096, 8192, 16384 or 32768 (not used for raw and files formats)
specify the number of bytes to export (default is all bytes)
specify the compression values as: level or method:level compression method options: deflate (default), bzip2 (bzip2 is only supported by EWF2 formats) compression level options: none (default), empty-block, fast or best
calculate additional digest (hash) types besides md5, options: sha1, sha256 (not used for raw and files format)
specify the output format to write to, options: raw (default), files (restricted to logical volume files), ewf, smart, encase1, encase2, encase3, encase4, encase5, encase6, encase7, encase7-v2, linen5, linen6, linen7, ewfx
shows this help
logs export errors and the digest (hash) to the log_filename
specify the offset to start the export (default is 0)
specify the process buffer size (default is the chunk size)
quiet shows minimal status information
swap byte pairs of the media data (from AB to BA)
(use this for big to little endian conversion and vice versa)
specify the segment file size in bytes (default is 1.4 GiB)
(minimum is 1.0 MiB, maximum is 7.9 EiB for raw, encase6 and encase7 format and 1.9 GiB for other formats)
(not used for files format)
specify the target file to export to, use - for stdout
(default is export) stdout is only supported for the raw format
unattended mode (disables user interaction)
verbose output to stderr
print version
zero sectors on checksum error (mimic EnCase like behavior)
use the chunk data instead of the buffered read and write functions.


# ewfexport image_forensic.e01 
ewfexport 20140807

Information for export required, please provide the necessary input
Export to format (raw, files, ewf, smart, ftk, encase1, encase2, encase3, encase4, encase5, encase6, encase7, encase7-v2, linen5, linen6, linen7, ewfx) [raw]: raw
Target path and filename without extension or - for stdout: image_forensic
Evidence segment file size in bytes (0 is unlimited) (0 B <= value <= 7.9 EiB) [0 B]: 
Start export at offset (0 <= value <= 9431040) [0]: 
Number of bytes to export (0 <= value <= 9431040) [9431040]: 

Export started at: Mar 14, 2020 15:53:13
This could take a while.

Export completed at: Mar 14, 2020 15:53:13

Written: 8.9 MiB (9431040 bytes) in 0 second(s).
MD5 hash calculated over data:		ba74f9213fc89221ed9b68cd03ff0242
ewfexport: SUCCESS