ewf-sections
Parses the internal structure of an EWF (Expert Witness Format) disk image file (.e01, .ex01) and retrieves the list of sections along with the type, offset, and size of each section. Use this command for structural analysis and integrity verification of EWF images.
Command properties
| Item | Description |
|---|---|
| Command type | Driver query |
| Required permission | None |
| License usage | Counted |
| Parallel execution | Not supported |
| Distributed execution | Not supported |
Syntax
Target
FILE_PATH- Path to the EWF disk image file to query. Supports files with
.e01or.ex01extensions. You can use a wildcard (*) to specify multiple files.
Output fields
| Field | Type | Description |
|---|---|---|
_file | string | Original EWF file name |
type | string | Section type. E01 format: header, header2, volume, table, table2, data, hash, done, etc. EX01 format: device_information, case_data, session, etc. |
offset | long | Offset of the section within the file (bytes) |
size | long | Section size (bytes) |
Error codes
Parse errors
N/A
Runtime errors
| Error code | Message | Description | Post-processing |
|---|---|---|---|
| - | cannot load ewf image: PATH | Unable to read the EWF image file | Stops query execution |
Description
The ewf-sections command sequentially parses the section headers of an EWF disk image file and retrieves the metadata of each section. For E01 format (EWF v1), sections are traversed sequentially from the beginning of the file. For EX01 format (EWF v2), section descriptors are traversed in reverse from the end of the file.
Files that are less than 8 bytes in size or have unknown magic bytes are skipped.
Examples
-
Retrieve the section list from an EWF image
ewf-sections /opt/logpresso/evidence/disk.e01Retrieves the section list from the EWF image file.
-
Retrieve the offset and size of data sections
ewf-sections /opt/logpresso/evidence/disk.e01 | search type == "data" | fields type, offset, sizeRetrieves the offsets and sizes of data sections.