Pages

Thursday, October 3, 2013

Mounting Encase Images the easy way in Ubuntu13

This post continues from the earlier one (mounting DD images in Ubuntu13 with one click). Now we want to do the same for E01 images. We will use the mount_ewf python script from the libewf project to accomplish this. Follow the instructions given below:

1. Download and install libewf from Ubuntu Software Center.
2. Download mount_ewf-20090113.py from here.
Rename to mount_ewf.py and copy it to /usr/bin folder. Set 755 permissions on it so it can be read and executed by all users.

This python script requires a mount point location (folder) to be specified. For every image we want to mount, we will need to create a new mount point and then feed it to this script. We will create temporary mount points under /tmp. Each mount point will be named ewf_NAME.

To make this mount on 1 click and mimic the default image mount function, 3 things need to be done:
1. Create a mount point.
2. Run mount_ewf.py script to mount the image.
3. Mounted image folder should pop up in Files Explorer.

To automate this to 1 click, launch 'Nautilus-Actions Configuration Tool' and create a new item. Lets call it 'Mount E01 to DD'. In the 'Command' tab fill in the following details:

Path: /bin/sh
Parameters: -c "mkdir /tmp/ewf_%b";gksudo "mount_ewf.py -o allow_other %f /tmp/ewf_%b";nautilus /tmp/ewf_%b
Working directory: %d

(note: there are no line breaks in parameters, it is all in one line) Don't change anything in the parameters, especially the quotes. I've settled on this command line after many iterations of failed attempts. This one takes care of all spaces in file names (and file paths) and should be fine for everyone.

In the 'Basenames' tab, create 2 filters for filename as '*.E01' and '*.e01' so that the menu item only shows up for files with an E01 extension.

One more setting is required to make this work. In the 'Execution' tab, select 'Display Output' under Execution mode. This won't work otherwise.



Thats about it. You should now see a menu like the one shown below when you right click on an e01 file. Choose 'Mount E01 to DD' to mount it to a virtual DD image. The folder should popup upon operation completion. Now right-click on the DD image file and select 'Mount DD image' to mount the partitions.


Now for the unmount command. I've created a simple generic 'Unmount all' command that unmounts all E01 files that were previously mounted (using our one-click solution). Since we do not maintain any record or database of mounted files, we simply reply on file names to identify mounted folders under /tmp.

In 'Nautilus-Actions Configuration Tool' create a new item called 'Unmount ALL E01s'. Under 'Action' tab, check the 'Display item in location context menu' checkbox. This enables the option to show up even when there is no file selected and you right-click. In the 'Command' tab, fill in the following details:

Path: gksudo
Parameters: umount /tmp/ewf_*; rmdir /tmp/ewf_*
Working directory: %d

In the 'Execution' tab, select 'Display Output' under Execution mode.

Thats it! Do remember to unmount your virtual DD images in File Explorer before trying to unmount the E01.

Here is a video showing the entire concept implemented on my machine.




No comments:

Post a Comment