Question: portable ewftools in MacOS (14.5)

[BrunoFischerGermany]

Hello.

I would like to use ewftools under MacOS (e.g. 14.5) - portable may from a USB-Device.

So without brew install libewf.

Is there a way or has someone already built this?

My idea is to convert the resulting .dmg file into a split E01 file after a successful ASR/Rsync command.

Best regards Bruno

[joachimmetz]

@BrunoFischerGermany this project does not provide pre-built binaries, also for DFIR purposes you very likely want to build and test your own binaries.

What do you mean with portable? like a fat-binary? static build?

Have a look at the build instructions https://github.com/libyal/libewf/wiki/Building

[BrunoFischerGermany]

hi @joachimmetz

I would like to run the ewf-tools from a USB stick on a device on which the libewf is not installed.

I use the ASR command and would like to convert the -dmg file (my evidence object) into an E01.

I do not want any dependencies on the target system to be fulfilled.

Is that understandable? Practically, I would like to have the ewf-tools with me and then use the conversion via the command line. The image is still mounted, but not mounted. (/dev/diskX or /dev/rdisk)

[joachimmetz]

I do not want any dependencies on the target system to be fulfilled.

there will always be such dependencies, think architecture, OS version, standard libraries.

[joachimmetz]

I would like to run the ewf-tools from a USB stick on a device on which the libewf is not installed.

yes you can do this, this is likely the closest to what you are trying to accomplish https://github.com/libyal/libewf/wiki/Building#static-executables

But as I hinted in my previous response, I strongly recommend to research and understand the limitations of this approach

[BrunoFischerGermany]

thank you very much for your reply.

unfortunately i am not in a position to do this research :(

I will simply convert the DMG files to E01 files on my own system (e.g. with ewf-tools, XWays, etc.).

thanks for the quick answers.

[joachimmetz]

I will simply convert the DMG files to E01 files on my own system (e.g. with ewf-tools, XWays, etc.).

you can do that with the previously mentioned instructions, but why do you need to have the executable on an USB for this?

unfortunately i am not in a position to do this research :(

problems are not going to solve themselves

[BrunoFischerGermany]

problems are not going to solve themselves

i know, but the time is rar

you can do that with the previously mentioned instructions, but why do you need to have the executable on an USB for this?

I usually have an exFAT formatted disk connected to the target system. I then create my folder structure here Then I switch to the disk on the command line and start my backup. (hdiutil create, asr restore --source / --target /Volumes/Image, and so on). Once this is done, I close the command line and unmount the hard disk. I then read the backup into X-Ways and check whether the file can be read and whether I can see any data. At this point I then convert the dmg. to E01. That is my workflow. Andrea Lazzarotto (https://github.com/Lazza/) has now developed Fuji (https://github.com/Lazza/Fuji), which takes over the manual typing in the command line. I was wondering whether ewfaquire could be integrated at this point. But as I said, so far I have problems understanding this build process.

on the windows side i use the Releases of https://github.com/alpine-sec/ewf-tools

[joachimmetz]

Sigh, let me educate you on downloading random binaries from the internet

• If I were a threat actor, this is how I would trick unknowing/unsuspecting DFIR practitioner to infect more systems
• So alpine-sec is violating the LGPLv3 license of libewf and possibly the zlib and bzip2 licenses, what if this surfaced in a legal setting? Compare this with you using a pirated version of commercial DFIR software
• 20230405 is an experimental version of libewf and tools, did you adequately test it? How would this look like if this would surface in a legal setting?
• it looks like the binaries rely on the visual studio runtime which does not make the binaries "portable"

i know, but the time is rar

then hire someone to do it for you, if one of the issues mentioned above backfires on you, you might loose much more time dealing with the consequences

[joachimmetz]

I then read the backup into X-Ways and check whether the file can be read and whether I can see any data. At this point I then convert the dmg. to E01.

why do you need an E01 if you have a dmg? dmg supports better compression than E01

[BrunoFischerGermany]

why do you need an E01 if you have a dmg? dmg supports better compression than E01 You are right. Thank you for your explanations