Expand description
Pure Rust reader for Expert Witness Format (E01/EWF) forensic disk images.
Provides a Read + Seek interface over E01 images, supporting:
- EWF v1 format (
.E01files produced by EnCase, FTK Imager, etc.) - EWF v2 format (
.Ex01/.Lx01from EnCase 7+) with auto-detection - L01 logical evidence files
- Multi-segment images (
.E01-.EZZfor v1,.Ex01-.EzZZfor v2) - zlib-compressed chunks with LRU caching
- O(1) seeking via flat chunk index
- Hash verification (
verify()) with MD5 and SHA-1 - Case metadata, stored hashes, and acquisition error parsing
Structs§
- Acquisition
Error - A range of sectors that had read errors during acquisition.
- EwfFile
Header - Parsed EWF v1 file header. Present at offset 0 of every segment file.
- EwfMetadata
- Case and acquisition metadata extracted from EWF header sections.
- EwfReader
- A reader for Expert Witness Format (E01/EWF) forensic disk images.
- EwfVolume
- Image geometry extracted from the EWF volume section.
- Section
Descriptor - Parsed EWF v1 section descriptor. Forms a linked list within each segment.
- Stored
Hashes - Integrity hashes stored within the EWF image by the acquisition tool.
- Table
Entry - A single table entry: 4-byte bitfield where bit 31 = compressed, bits 0-30 = offset.
- Verify
Result - Result of verifying the EWF image integrity by recomputing media hashes.
Enums§
Constants§
- EVF_
SIGNATURE - EWF v1 magic signature:
"EVF\x09\x0d\x0a\xff\x00"(8 bytes).
Functions§
- parse_
error2_ data - Parse EWF
error2section data into acquisition error entries.