View on GitHub

A Dissect module implementing a parsers for various forensic evidence file containers, currently: AD1, ASDF and EWF.


dissect.evidence is available on PyPI.

$ pip install dissect.evidence

This module is also automatically installed if you install the dissect package.


This package is a library with no CLI tools, so you can only interact with it from Python. For example, to open an EWF container and start reading from it:

from pathlib import Path
from dissect.evidence.ewf import EWF, find_files

e01_file = Path("/path/to/evidence.E01")
all_files = find_files(e01_file)
ewf = EWF([f.open() for f in all_files])


For more details, please refer to the API documentation of dissect.evidence.