This is a pre-production deployment of Warehouse, however changes made here WILL affect the production instance of PyPI.
Help us improve Python packaging - Donate today!
Project Description

LaZy_NT is a forensic analysis and data recovery framework designed to carve files from raw disk images. It uses file signatures and other techniques to recover as much of the original data as possible.

The feature that sets this software apart from more well-known file carving utilties is that it was designed to detect and carve files that have been compressed by the NTFS file system. NTFS supports compression of individual files, folders or entire volumes using the proprietary ‘LZNT1’ algorithm, from which this package derives its name. While processing a disk image, if NTFS compression is detected, LaZy_NT will decompress the data stream on the fly to ensure that the correct file data is recovered.

In addition to standard file carving, LaZy_NT provides a rudimentary bulk ASCII extraction capability to support forensic investigation. When enabled, this mode will decompress and extract all ASCII text data and evaluate it to identify email addresses, URLs, and other personal or forensically interesting information.

LaZy_NT operates normally on files and volumes which have not been compressed, and on images of non-NTFS file systems. However under those circumstances the recovery performance may not be as good as a combination of more well known file carving and bulk extraction utilities.


The simplest way to invoke the pre-made application is to call the run() method of the App class within the app module. The following example demonstrates how this canbe implemented as a simple launcher script:

from LaZy_NT import app
# Obtain command line arguments, e.g. via argparse, to pass to App() as
# keyword arguments. Otherwise defaults from `config` will be used.
application = app.App()

Alternatively, the API exposed by LaZy_NT can be used to build a more customized file recovery application, without using the app module at all.


LaZy_NT is available on PyPI and installable via pip:

python -m pip install LaZy_NT

The following optional dependencies enhance LaZy_NT by adding metadata extraction for files after they’ve been carved:

hachoir-core, hachoir-parser, hacoir-metadata
Pillow (or PIL)

All optional dependencies will be installed automatically if LaZy_NT is installed through pip.


Documentation for LaZy_NT was generated using pdoc.


I would like to recognize Richard Russon and Yuval Fledel, authors of the ‘NTFS Documentation’ manual associated with the Linux NTFS filesystem driver. Without their detailed explanation of the LZNT1 algorithm, this project would not have been possible.

I would also like to recognize Simson L. Garfinkel, designer of the well known ‘Bulk Extractor’ utility. While I have not viewed or used any of his source code or documentation in this project, the use of his utility was what inspired me to add ASCII extraction capabilities to this project.

Release History

Release History


This version

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

Download Files

Download Files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

File Name & Checksum SHA256 Checksum Help Version File Type Upload Date (125.7 kB) Copy SHA256 Checksum SHA256 Source Jul 27, 2014

Supported By

WebFaction WebFaction Technical Writing Elastic Elastic Search Pingdom Pingdom Monitoring Dyn Dyn DNS Sentry Sentry Error Logging CloudAMQP CloudAMQP RabbitMQ Heroku Heroku PaaS Kabu Creative Kabu Creative UX & Design Fastly Fastly CDN DigiCert DigiCert EV Certificate Rackspace Rackspace Cloud Servers DreamHost DreamHost Log Hosting