DRAFT

This page is still a draft. Thank you for your understanding.

Description

Use ewfinfo to determine information about the EWF format (Expert Witness Compression Format).

Usage

ewfinfo [ -A codepage ] [ -d date_format ] [ -f format ] [ -ehimvVx ] ewf_files

where

ewf_files

the first or the entire set of EWF segment files

Options

-A

codepage of header section, options: ascii (default), windows-874, windows-932, windows-936, windows-949, windows-950, windows-1250, windows-1251, windows-1252, windows-1253, windows-1254, windows-1255, windows-1256, windows-1257 or windows-1258

-d

specify the date format, options: ctime (default), dm (day/month), md (month/day), iso8601

-e

only show EWF read error information

-f

specify the output format, options: text (default), dfxml

-h

shows this help

-i

only show EWF acquiry information

-m

only show EWF media information

-v

verbose output to stderr

-V

print version

Example

# ewfinfo image_forensic.e01 
ewfinfo 20140807

Acquiry information
	Case number:		1
	Description:		Just an image
	Examiner name:		Willy The Kid - IT forensic investigator
	Evidence number:	1
	Notes:			Somes notes here
 	Acquisition date:	Sat Jul  2 16:08:57 2016
	System date:		Sat Jul  2 16:08:57 2016
	Operating system used:	Linux
	Software version used:	20140608
	Password:		N/A

EWF information
	File format:		EnCase 6
	Sectors per chunk:	64
	Error granularity:	64
	Compression method:	deflate
	Compression level:	best compression
	Set identifier:		21e99a6f-2345-6f3a-9f8f-52d431d6dd22

Media information
	Media type:		fixed disk
	Is physical:		yes
	Bytes per sector:	512
	Number of sectors:	18420
	Media size:		8.9 MiB (9431040 bytes)

Digest hash information
	MD5:			ba74f9213ff89221cd9b68bc03ff0242