libyal / libewf-legacy

Legacy version of libewf
GNU Lesser General Public License v3.0
10 stars 5 forks source link

Question: portable ewftools in MacOS (14.5) #25

Closed BrunoFischerGermany closed 6 months ago

BrunoFischerGermany commented 6 months ago

Hello.

I would like to use ewftools under MacOS (e.g. 14.5) - portable may from a USB-Device.

So without brew install libewf.

Is there a way or has someone already built this?

My idea is to convert the resulting .dmg file into a split E01 file after a successful ASR/Rsync command.

Best regards Bruno

joachimmetz commented 6 months ago

@BrunoFischerGermany this project does not provide pre-built binaries, also for DFIR purposes you very likely want to build and test your own binaries.

What do you mean with portable? like a fat-binary? static build?

Have a look at the build instructions https://github.com/libyal/libewf/wiki/Building

BrunoFischerGermany commented 6 months ago

hi @joachimmetz

I would like to run the ewf-tools from a USB stick on a device on which the libewf is not installed.

I use the ASR command and would like to convert the -dmg file (my evidence object) into an E01.

I do not want any dependencies on the target system to be fulfilled.

Is that understandable? Practically, I would like to have the ewf-tools with me and then use the conversion via the command line. The image is still mounted, but not mounted. (/dev/diskX or /dev/rdisk)

joachimmetz commented 6 months ago

I do not want any dependencies on the target system to be fulfilled.

there will always be such dependencies, think architecture, OS version, standard libraries.

joachimmetz commented 6 months ago

I would like to run the ewf-tools from a USB stick on a device on which the libewf is not installed.

yes you can do this, this is likely the closest to what you are trying to accomplish https://github.com/libyal/libewf/wiki/Building#static-executables

But as I hinted in my previous response, I strongly recommend to research and understand the limitations of this approach

BrunoFischerGermany commented 6 months ago

thank you very much for your reply.

unfortunately i am not in a position to do this research :(

I will simply convert the DMG files to E01 files on my own system (e.g. with ewf-tools, XWays, etc.).

thanks for the quick answers.

joachimmetz commented 6 months ago

I will simply convert the DMG files to E01 files on my own system (e.g. with ewf-tools, XWays, etc.).

you can do that with the previously mentioned instructions, but why do you need to have the executable on an USB for this?

unfortunately i am not in a position to do this research :(

problems are not going to solve themselves

BrunoFischerGermany commented 6 months ago

problems are not going to solve themselves

i know, but the time is rar

you can do that with the previously mentioned instructions, but why do you need to have the executable on an USB for this?

I usually have an exFAT formatted disk connected to the target system. I then create my folder structure here Then I switch to the disk on the command line and start my backup. (hdiutil create, asr restore --source / --target /Volumes/Image, and so on). Once this is done, I close the command line and unmount the hard disk. I then read the backup into X-Ways and check whether the file can be read and whether I can see any data. At this point I then convert the dmg. to E01. That is my workflow. Andrea Lazzarotto (https://github.com/Lazza/) has now developed Fuji (https://github.com/Lazza/Fuji), which takes over the manual typing in the command line. I was wondering whether ewfaquire could be integrated at this point. But as I said, so far I have problems understanding this build process.

on the windows side i use the Releases of https://github.com/alpine-sec/ewf-tools

joachimmetz commented 6 months ago

Sigh, let me educate you on downloading random binaries from the internet

i know, but the time is rar

then hire someone to do it for you, if one of the issues mentioned above backfires on you, you might loose much more time dealing with the consequences

joachimmetz commented 6 months ago

I then read the backup into X-Ways and check whether the file can be read and whether I can see any data. At this point I then convert the dmg. to E01.

why do you need an E01 if you have a dmg? dmg supports better compression than E01

BrunoFischerGermany commented 6 months ago

why do you need an E01 if you have a dmg? dmg supports better compression than E01 You are right. Thank you for your explanations