Close

MacOS – RAW to/from EWF Image Conversion

The old (and free) FTI Imager command line tool still is one of my favourite RAW to/from EWF (E01) conversion tool in MacOS (sort of). Most tutorials point to ewf-tools, which you can actually install on MacOS using Homebrew either via the libewf or the sleuthkit formula. Still, this results in a version of ewfacquire from 2014. While age itself is not a deal breaker, I have sometimes problems with the tool not parsing certain image files.

In this case, I call the good ol’ ftkimager to the rescue and as I like to keep such tools in separate compartments to avoid collecting often conflicting tools in my base system, I usual go for Docker:

# AccessData FTK Imager v3.1.1 CLI (Aug 24 2012) in Docker
#
# Build the image:
# Download the ftkimager tar.gz file into Dockerfile directory
# (Source: https://accessdata.com/product-download/debian-and-ubuntu-x64-3-1-1)
# docker build -t ftkimager .
#
# Test and Help:
#  docker run --rm
#
# Convert RAW to EWF/E01
#  Input and output files must be in current directory
#  docker run -ti --rm -v `pwd`:`pwd` -w `pwd` 5b1 inimage.raw outimage --e01 --compress 9
#
FROM ubuntu:focal-20200423
MAINTAINER @imifos

RUN mkdir /tools \
 && groupadd -r tools \
 && useradd -d /tools -s /bin/bash -g tools tools

COPY ftkimager.3.1.1_ubuntu64.tar.gz /tools

RUN cd /tools \
 && tar -xf ftkimager.3.1.1_ubuntu64.tar.gz \
 && rm ftkimager.3.1.1_ubuntu64.tar.gz \
 && chown tools:tools /tools/ftkimager

USER tools
WORKDIR /tools
ENTRYPOINT [ "/tools/ftkimager" ]

(Image size 80MB, Project on Github)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close