EWF MetaEditor

We’ve been quietly developing digital forensics tools and forensic software to assist in our analysis for almost 10 years, and until recently, all of that source code has been sitting around and collecting dust.  As time permits, we will be dusting it off, adding some updates, and releasing some of it to the public.

Think of it as our way of saying thank you to everyone who has written articles, published research, or contributed software/code to the forensic community.

These utilities are provided “as-is” and are free for both personal and commercial use. As with any software, including ours, you should always independently validate your findings.  Oh, and if you find any of our utilities useful, feel free to drop by @chadgough or @4Discovery on Twitter and say thanks. Bug reports and feature requests are always welcome!

Edit EWF/E01 MetaData

EnCase’s Evidence Files (.E01) are similar to other documents in that they have structured internal metadata describing the evidence item, examiner, date acquired, etc…

EWF MetaEditor allows you to edit these properties in order to fix typos, rename incorrect/mislabeled evidence items, and add missing information.

Note:  Ex01 (EnCase 7) and Logical Evidence Files (*.L01) are not supported… yet.

Features:

• Remove passwords on EnCase v6 and earlier files
• Find out if compression (and what level) was used
• Change EWF/E01 metadata
• Requirements: Microsoft .NET Framework v4.0
• Free for both personal and commercial use