ewf-sectors
Retrieves binary data by sector from an EWF (Expert Witness Format) disk image file (.e01, .ex01). Use this command for raw data analysis and file system recovery of disk images.
Command properties
| Item | Description |
|---|---|
| Command type | Driver query |
| Required permission | None |
| License usage | Counted |
| Parallel execution | Not supported |
| Distributed execution | Not supported |
Syntax
Options
offset=LONG- Sector number to start reading from. The specified number of sectors are skipped. (default:
0) limit=LONG- Maximum number of sectors to read. When
0, reads to the end of the file. (default:0) pretty={t|f}- Output format. (default:
f)
t: Returns thedatafield as a formatted hexadecimal string and adds theasciifield with the ASCII representation.f: Returns thedatafield as binary data.
Target
FILE_PATH- Path to the EWF disk image file to query. Supports files with
.e01or.ex01extensions. You can use a wildcard (*) to specify multiple files.
Output fields
| Field | Type | Description |
|---|---|---|
_file | string | Original EWF file name |
sector | long | Sector number (starting from 0) |
data | binary or string | Sector data. Hexadecimal string when pretty=t, otherwise binary |
ascii | string | ASCII representation of sector data. Output only when pretty=t. |
Error codes
Parse errors
| Error code | Message | Description |
|---|---|---|
invalid-offset-number | - | The offset option value is not a number |
invalid-limit-number | - | The limit option value is not a number |
Runtime errors
| Error code | Message | Description | Post-processing |
|---|---|---|---|
| - | cannot load ewf image: PATH | Unable to read the EWF image file | Stops query execution |
| - | unsupported file extension: NAME | A file other than .e01 or .ex01 was specified | Stops query execution |
Description
The ewf-sectors command reads an EWF disk image file sequentially and outputs the data of each sector (512 bytes). Use the offset option to specify the starting sector, and the limit option to limit the number of sectors to read. When you specify pretty=t, binary data is converted to a hexadecimal string (line-wrapped every 16 bytes) and an ASCII representation is added. Non-printable ASCII characters (outside 0x20–0x7E) are replaced with ..
Examples
-
Retrieve the first sector of an EWF image
ewf-sectors limit=1 /opt/logpresso/evidence/disk.e01Retrieves the first sector (MBR area) of the disk image.
-
Retrieve sectors in a human-readable format
ewf-sectors offset=0 limit=10 pretty=t /opt/logpresso/evidence/disk.e01Retrieves the first 10 sectors in hexadecimal and ASCII format.
-
Retrieve sectors from a specific offset
ewf-sectors offset=2048 limit=100 /opt/logpresso/evidence/disk.e01Retrieves 100 sectors starting from sector 2048.