ewf
Pure Rust reader for Expert Witness Format (E01/EWF) forensic disk images. Zero GPL dependencies.
Quick start
use ;
let mut reader = open?;
// Read the first sector
let mut mbr = ;
reader.read_exact?;
// Seek anywhere — O(1) via flat chunk index
reader.seek?;
EwfReader implements Read + Seek, so it plugs directly into crates like ntfs, fatfs, or anything expecting a seekable stream.
Install
[]
= "0.1"
Features
- E01 v1 format — reads images from EnCase, FTK Imager, Guymager, ewfacquire, etc.
- Multi-segment — auto-discovers
.E01→.E02→ ... →.E99→.EAA→.EZZ - zlib decompression with LRU caching (configurable, default 100 chunks ≈ 3.2 MB)
- O(1) seeking — flat chunk table indexed by
offset / chunk_size - table + table2 resilience — handles both section types, deduplicates correctly
- MIT licensed — no GPL, safe for proprietary DFIR tooling
Usage
Open with auto-discovery
// Finds all .E01/.E02/... segments automatically
let mut reader = open?;
println!;
Tune cache for large images
// 1000 chunks ≈ 32 MB cache — useful for sequential scans
let mut reader = open_with_cache_size?;
Explicit segment paths
use PathBuf;
let segments = vec!;
let mut reader = open_segments?;
With the ntfs crate
use EwfReader;
use Ntfs;
let mut reader = open?;
// Seek to NTFS partition offset, then:
let ntfs = new?;
Format support
| Format | Status |
|---|---|
| E01 (EWF v1) | Supported |
| E01 multi-segment | Supported |
| Ex01 (EWF v2) | Not yet |
| L01/Lx01 (logical) | Not yet |
| S01 (SMART) | Not yet |
Validation
Full-media MD5 comparison against libewf and The Sleuth Kit confirms bit-identical output across 6 public forensic images (303+ GiB of media). Test images sourced from Digital Corpora and The Evidence Locker (Kevin Pagano). Three small images are committed as test fixtures and run in CI. See docs/VALIDATION.md for results, image sources, and reproduction steps.
Acknowledgments
Architecture informed by Velocidex/go-ewf (Apache-2.0).
License
MIT
Sponsor
If this crate is useful to your DFIR work:
