computer forensics, computer forensics expert, mobile phone forensics, expert witness

Inside Out

Mounting EWF’s on windows with freely available tools

Harlan recently posted a small reference to mounting EWF’s on windows machines using freely available utilities. David Loveall has produced a script called which will do the heavy lifting of mounting EWF's via imdisk.

It is not straightforward to get working so I have copied the instructions originally provided by David Loveall and further expanded on them below.

  1. Extract the Windows mount_ewf files into a directory. I used the current file found in the downloads area of libewf. Download from the same place the file and place it in the same directory (I used c:optproxy_ewf).

  2. Download and install the Visual Studio runtime files, if you don't already have them. Don’t bother as they are now included in the mount_ewf windows distribution.

  3. Download and install ImDisk. Be careful about driver loading if you are on Vista and above.

4: Install python for windows. I used python 2.5 (x86) but 2.6 should work as well.

  1. If you are on an x64 system, move imdisk.exe from the c:Windowssystem32 directory into the same directory as the mount_ewf and files. The proxy_ewf script wont be able to run imdisk.exe due to the WOW64 file virtualisation features otherwise.

  2. Run proxy_ewf:

c:\python25\python c:evidencefoo.e01 

If you get a "Version number mismatch" error, it is likely that the _ctypes.pyd file in the mount_ewf distribution is incompatible with the one in your just installed python distribution. I deleted the one in the mount_ewf directory and things worked fine.

At this point, you should see a new drive letter (or letters) appear in windows explorer.