Mount your E01 file:
ewfmount image.E01 /mnt/ewf_mount
Use wisp from TZ Works: https://tzworks.net/prototype_page.php?proto_id=21
wisp -image /mnt/ewf_mount/ewf1 -slack -nodups -bodyfile > wisp-body
mactime -d -b wisp-body -z “UTC” > wisp-timeline.csv
Open it up in Excel and look around for how and when files were created in directories.