Mounting EWF’s on windows with freely available tools

Harlan recently posted a small reference to mounting EWF’s on windows machines using freely available utilities. David Loveall has produced a script called proxy_ewf.py which will do the heavy lifting of mounting EWF’s via imdisk.

It is not straightforward to get working so I have copied the instructions originally provided by David Loveall and further expanded on them below.

1. Extract the Windows mount_ewf files into a directory.  I used the current mount_ewf_windows-20091123.zip file found in the downloads area of libewf. Download from the same place the proxy_ewf.py file and place it in the same directory (I used c:\opt\proxy_ewf\).

2. Download and install the Visual Studio runtime files, if you don’t already have them. Don’t bother as they are now included in the mount_ewf windows distribution.

3. Download and install ImDisk. Be careful about driver loading if you are on Vista and above.

4: Install python for windows. I used python 2.5 (x86) but 2.6 should work as well.

5. If you are on an x64 system, move imdisk.exe from the c:\Windows\system32 directory into the same directory as the mount_ewf and proxy_ewf.py files. The proxy_ewf script wont be able to run imdisk.exe due to the WOW64 file virtualisation features otherwise.

6. Run proxy_ewf:

c:\python25\python c:\opt\proxy_ewf\proxy_ewf-20091123.py c:\evidence\foo.e01

If you get a "Version number mismatch" error, it is likely that the _ctypes.pyd file in the mount_ewf distribution is incompatible with the one in your just installed python distribution. I deleted the one in the mount_ewf directory and things worked fine.

At this point, you should see a new drive letter (or letters) appear in windows explorer.

Leave a Reply