ewf-metadata
Retrieves metadata such as acquisition information, device information, and system information from EWF (Expert Witness Format) disk image files (.e01, .ex01). Use this command to verify the origin and integrity of digital forensic images.
Command properties
| Item | Description |
|---|---|
| Command type | Driver query |
| Required permission | None |
| License usage | Counted |
| Parallel execution | Not supported |
| Distributed execution | Not supported |
Syntax
Target
FILE_PATH- Path to the EWF disk image file to query. Supports files with
.e01or.ex01extensions. You can use a wildcard (*) to specify multiple files.
Output fields
Output fields differ between E01 (EWF v1) and EX01 (EWF v2) formats.
E01 common fields:
| Field | Type | Description |
|---|---|---|
_file | string | Original EWF file name |
section_type | string | Section type. One of header or header2 in E01 format |
serial_number | string | Disk serial number |
media_model | string | Media model name |
pid | string | Acquisition tool identifier |
platform | string | Acquisition platform information |
version | string | EWF format version |
system_time | timestamp | Acquisition system time |
acquisition_time | timestamp | Image acquisition time |
case_number | string | Case number |
evidence_number | string | Evidence number |
unique_description | string | Unique description |
examiner | string | Examiner name |
notes | string | Notes |
password_hash | string | Password hash |
compression_level | string | Compression level |
extents | string | Partition extent information |
Additional EX01 fields:
| Field | Type | Description |
|---|---|---|
media_type | string | Media type (fixed, removable, etc.) |
media_label | string | Media label |
bytes_per_sector | long | Bytes per sector |
sector_count | long | Total number of sectors |
is_physical | boolean | Whether the image is a physical disk image |
ram_sectors | long | Number of RAM sectors |
hpa_protected_sectors | long | Number of HPA-protected sectors |
dco_protected_sectors | long | Number of DCO-protected sectors |
smart_sectors | long | Number of SMART sectors |
Error codes
Parse errors
N/A
Runtime errors
| Error code | Message | Description | Post-processing |
|---|---|---|---|
| - | cannot load ewf image: PATH | Unable to read the EWF image file | Stops query execution |
Description
The ewf-metadata command parses the header section of an EWF format disk image file and retrieves acquisition metadata. For E01 format (EWF v1), metadata is extracted from the header section; for EX01 format (EWF v2), it is extracted from the device information section.
If device_info appears in the section_type field, the image is in EX01 format.
Examples
-
Retrieve EWF image metadata
ewf-metadata /opt/logpresso/evidence/disk.e01Retrieves acquisition metadata from the specified EWF image file.
-
Retrieve metadata from multiple EWF images using a wildcard
ewf-metadata /opt/logpresso/evidence/*.e01Retrieves metadata from all E01 image files in the directory.