libewf is a library to access the Expert Witness Compression Format (EWF).

This is a fork that adds modern filesystem mounting support:

* macOS: FUSE-T support (kext-less FUSE via NFS v4, compatible with
  macOS 10.15+)
* Windows: Dokany 2.x support (user-mode filesystem driver)

Project information:

* Status: experimental
* Licence: LGPLv3+
* Fork maintainer: WarpedWing Labs (https://github.com/WarpedWing)

Read or write supported EWF formats:

* SMART .s01 (EWF-S01)
* EnCase
  * .E01 (EWF-E01)
  * .Ex01 (EWF2-Ex01)

Not supported:

* .Ex01 (EWF2-Ex01) bzip2 compression (work in progress)
* .Ex01 (EWF2-Ex01) encryption

Read-only supported EWF formats:

* Logical Evidence File (LEF)
  * .L01 (EWF-L01)
  * .Lx01 (EWF2-Lx01)

Other features:

* empty-block compression
* read/write access using delta (or shadow) files
* write resume

Work in progress:

* Python bindings (including Python 3 support)
* write EWF2-Ex01 support
* Multi-threading support

Planned:

* write EWF-L01 and EWF2-Lx01 (long-term)

The libewf package contains the following tools:

* ewfacquire; which writes storage media data from devices and files to EWF files.
* ewfacquirestream; which writes data from stdin to EWF files.
* ewfdebug; experimental tool does nothing at the moment.
* ewfexport; which exports storage media data in EWF files to (split) RAW format or a specific version of EWF files.
* ewfinfo; which shows the metadata in EWF files.
* ewfmount; which FUSE mounts EWF files.
* ewfrecover; special variant of ewfexport to create a new set of EWF files from a corrupt set.
* ewfverify; which verifies the storage media data in EWF files.

For previous project contributions see:

* libewf on SourceForge: https://sourceforge.net/projects/libewf

For previous stable releases see:

* Downloads: https://github.com/libyal/legacy/tree/master/libewf

For more information see:

* Project documentation: https://github.com/libyal/libewf/wiki/Home
* How to build from source: https://github.com/libyal/libewf/wiki/Building

Building on macOS with FUSE-T
=============================

This fork supports FUSE-T for mounting EWF images on modern macOS systems
(10.15+) without requiring kernel extensions.

Prerequisites:

    brew install --cask fuse-t
    brew install autoconf automake libtool pkg-config

Building:

    ./synclibs.sh
    ./autogen.sh
    PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH ./configure
    make
    sudo make install

The configure script will automatically detect FUSE-T and enable ewfmount
support. You can verify FUSE-T was detected by checking the configure output:

    FUSE support:                             libfuse_t

Usage:

    ewfmount image.E01 /path/to/mountpoint

For more information about FUSE-T, see: https://www.fuse-t.org/

Building on Windows with Dokany
===============================

This fork includes support for Dokany 2.x, enabling ewfmount on Windows.
Dokany is a user-mode file system driver that provides FUSE-like
functionality for Windows.

Prerequisites:

1. Install Visual Studio 2022 or later with "Desktop development with C++"

2. Install Dokany 2.x driver from: https://github.com/dokan-dev/dokany/releases

3. Download Dokany source for SDK headers:
   https://github.com/dokan-dev/dokany
   Extract to a folder alongside libewf (e.g., ..\dokany-master)

4. Build or obtain the Dokany library (dokan2.lib):
   Either build from source or extract from the Dokany installer.
   Place in ..\dokan\x64\Release\dokan2.lib relative to libewf.

Expected folder structure:

    parent-folder/
    ├── libewf/           # This repository
    ├── dokany-master/    # Dokany source (for headers)
    │   ├── dokan/        # Header files
    │   └── sys/          # Additional headers
    ├── dokan/            # Dokany libraries
    │   └── x64/
    │       └── Release/
    │           └── dokan2.lib
    ├── bzip2/            # bzip2 source (downloaded by syncbzip2.ps1)
    └── zlib/             # zlib source (downloaded by synczlib.ps1)

Building:

1. Open PowerShell in the libewf directory and run the sync scripts:

    .\synclibs.ps1
    .\synczlib.ps1
    .\syncbzip2.ps1

2. Generate required header files from templates. Run these PowerShell
   commands (or create them manually from the .h.in files):

    # include/libewf/types.h
    (Get-Content include\libewf\types.h.in) -replace '@PACKAGE@','libewf' | Set-Content include\libewf\types.h

    # include/libewf/features.h
    (Get-Content include\libewf\features.h.in) -replace '@LIBEWF_HAVE_WIDE_CHARACTER_TYPE@','1' -replace '@LIBEWF_HAVE_MULTI_THREAD_SUPPORT@','1' | Set-Content include\libewf\features.h

    # include/libewf/definitions.h
    (Get-Content include\libewf\definitions.h.in) -replace '@VERSION@','20251103' | Set-Content include\libewf\definitions.h

    # common/types.h
    (Get-Content common\types.h.in) -replace '@PACKAGE@','libewf' | Set-Content common\types.h

    # libewf/libewf_definitions.h
    (Get-Content libewf\libewf_definitions.h.in) -replace '@VERSION@','20251103' | Set-Content libewf\libewf_definitions.h

    # libewf/libewf.rc
    (Get-Content libewf\libewf.rc.in) -replace '@VERSION@','20251103' | Set-Content libewf\libewf.rc

3. Open msvscpp/libewf.sln in Visual Studio 2022

4. Select Release | x64 configuration

5. Build the bzip2 project first (right-click -> Build)

6. Build the ewfmount project

7. Copy the bzip2 DLL to the output folder:

    copy msvscpp\bzip2\x64\Release\bzip2.dll msvscpp\ewfmount\x64\Release\LIBBZ2.dll

The ewfmount.exe will be in msvscpp/ewfmount/x64/Release/

Usage:

    ewfmount.exe image.E01 X:

Where X: is an available drive letter. The mounted drive will contain
a raw disk image file (e.g., "ewf1") that can be accessed by forensic
tools or mounted with additional filesystem drivers.

For more information about Dokany, see: https://dokan-dev.github.io/