Linux Forensics Tools Repository: Package Summary for Packages on May 11, 2015:

  • libewf-{,devel,tools}-20100226-1.{fc21}.{i686,x86_64}.rpm, ewftools-20140608-1.{fc21}.{i686,x86_64}.rpm - Libewf supports Expert Witness Compression Format (EWF) formatted files. This package contains the Version 1 API for the libewf tools and is needed to build the libewf-20140608 package.
  • libewf-{,devel,python}-20140608-1.{fc21}.{i686,x86_64}.rpm, ewftools-20140608-1.{fc21}.{i686,x86_64}.rpm - Libewf supports Expert Witness Compression Format (EWF) formatted files. It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format. Note that beginning with Fedora 19, the tools package is named ewftools to reflect the package name found in those releases of Fedora. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format.

    Note: Version 20140608 is the latest production of libewf but there is a later version (20141129), an experimental version, in the repository. We have received a report that version 20141129 has a bug and cannot handle split E01 files correctly. The report noted this error in the plaso timeline tool. The bug report is here.

    If you wish to install the 20140608 version of libewf, do the following, all as root
    rpm -ev $(rpm -qa | grep 'ewf.*20150105*') --nodeps
    yum -y install {ewftools,libewf-python,libewf}-20140608-2
    Then edit /etc/yum.repos.d/cert-forensics-tools.repo so that the beginning of the file looks like the following:
    [forensics]
    name=CERT Forensics Tools Repository
    baseurl=http://www.cert.org/forensics/repository/fedora/cert/$releasever/$basearch
    enabled=0
    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-cert-forensics-2016-02-22
    gpgcheck=1
    proxy=_none_
    deltarpm=0
    exclude=ewftools* libewf*
    This will install the last stable version of libewf which fixes the split E01 bug.

    Note that when a new version of libewf becomes available, you will need to removed these chnages to /etc/yum.repos.d/cert-forensics-tools.repo. Watch this page for that announcement.