Converting a file from RAW to EWF format

Kaspersky Endpoint Security saves the disk image in the RAW format. Files can also be compressed into an archive. A special Python script allows converting files from the RAW format to the EWF format. The script constantly looks for RAW files in the specified folder. If such files are detected, the script automatically converts the files to the EWF format.

convert_to_ewf_monitor.py script

For the script to work, the following software must be installed on the computer:

The libewf library for accessing Expert Witness Compression Format (EWF) files.
The libewf library is open source software.

It is recommended to place the library files and the script file in the same folder.
The Python interpreter.

To enable the conversion of disk image files:

Start the command line interpreter.
Change to the folder where the script is located.

Run the following command:

py convert_to_ewf_monitor.py --source <full path to the source files folder> [additional settings]

EWF conversion script parameters

Parameter	Description
`--source <full path to folder>`	The full path to the folder in which the script looks for source files. The script also looks for files in subfolders at the specified path. This is a mandatory parameter.
`--destination <full path to folder>`	The full path to the folder where the script saves converted files. The folder structure is preserved. By default, the script saves converted files in the folder specified in the `source` parameter.
`--delete`	Delete source files after successful conversion. If the conversion fails, the script skips deleting the source files and you can try again.
`--ewftool <full path to folder>`	The full path to the ewfacquirestream.exe file. The path must include the file name. By default, the script attempts to locate the ewfacquirestream.exe file in the folder where the script is located.
`--name_mask <regular expressions>`	Regular expressions to find source files to convert. You can use this option if you need to convert individual files. By default, the script looks for files using the `^diskdump_` regular expression.
`--convert_single_dump`	Find a single file to convert. After successful conversion of the single file, the script exits.
`--workers_num <number of files>`	The maximum number of source files that the script can convert at the same time. You can use this setting to optimize the performance of the script. By default, the script can convert up to four files at a time.
`--log_level <log level>`	Logging level. By default, the script uses the DEBUG logging level.
`--log_path <full path to folder>`	The full path for saving log files. The path must include the file name of the log file. By default, the script displays events on the interpreter console.

Example:

PS D:\Folder\Script\> py convert_to_ewf_monitor.py --source E:/Folder --destination E:/EWF --delete --log_path E:/Folder/Logs.txt

Page top