Monday, September 15, 2008

LinEn & ewfacquire to produce EnCase images

Among AIR, GRAB and ADEPTO and several other dd tools there are two Linux forensic tools that can image and produce E01 (EnCase) images. LinEn from EnCase and ewfacquire which is part of the libewf package. libewf does not yet support the Logical Volume format (EWF-L01). LinEn can be downloaded here. It is easy to run, make it executable by changing file’s permission and type ./linen. ewfacquire is claimed to be faster than LinEn, however I haven't noticed any significant differences.

tableau-parm 0.1.0 is another useful Linux tool for getting drive information from Tableau forensic write blockers that is similar to the Windows only Tableau Disk Monitor.

No comments: