MacOS – RAW to/from EWF Image Conversion

The old (and free) FTI Imager command line tool still is one of my favourite RAW to/from EWF (E01) conversion tool in MacOS (sort of). Most tutorials point to ewf-tools, which you can actually install on MacOS using Homebrew either via the libewf or the sleuthkit formula. Still, this results in a version of ewfacquire from 2014. While age itself is not a deal breaker, I have sometimes problems with the tool not parsing certain image files.

In this case, I call the good ol’ ftkimager to the rescue and as I like to keep such tools in separate compartments to avoid collecting often conflicting tools in my base system, I usual go for Docker:

# AccessData FTK Imager v3.1.1 CLI (Aug 24 2012) in Docker
# Build the image:
# Download the ftkimager tar.gz file into Dockerfile directory
# (Source:
# docker build -t ftkimager .
# Test and Help:
#  docker run --rm
# Convert RAW to EWF/E01
#  Input and output files must be in current directory
#  docker run -ti --rm -v `pwd`:`pwd` -w `pwd` 5b1 inimage.raw outimage --e01 --compress 9
FROM ubuntu:focal-20200423

RUN mkdir /tools \
 && groupadd -r tools \
 && useradd -d /tools -s /bin/bash -g tools tools

COPY ftkimager.3.1.1_ubuntu64.tar.gz /tools

RUN cd /tools \
 && tar -xf ftkimager.3.1.1_ubuntu64.tar.gz \
 && rm ftkimager.3.1.1_ubuntu64.tar.gz \
 && chown tools:tools /tools/ftkimager

USER tools
WORKDIR /tools
ENTRYPOINT [ "/tools/ftkimager" ]

(Image size 80MB, Project on Github)

