An efficient tool for extracting files, directories, and alternate data streams directly from NTFS image files.
Project description
ntfsdump
An efficient tool for extracting files, directories, and alternate data streams directly from NTFS image files.
Usage
ntfsdump can be executed from the command line or incorporated into a Python script.
$ ntfsdump {{query}} --output-path {{output_dir}} /path/to/imagefile.raw
from ntfsdump import ntfsdump
# imagefile_path: str
# output_path: str
# target_queries: List[str]
# volume_num: Optional[int] = None
# file_type: Literal['raw', 'e01', 'vhd', 'vhdx', 'vmdk'] = 'raw'
ntfsdump(
imagefile_path='./path/to/your/imagefile.raw',
output_path='./path/to/output/directory',
target_queries=['/Windows/System32/winevt/Logs'],
volume_num=2,
file_type='raw'
)
Query
This tool allows you to search for and extract file, directory, and ADS paths using regular expression queries.
Paths are separated by forward slashes (Unix/Linux-style) rather than backslashes (Windows-style).
e.g.
Original Path: C:\$MFT
Query: /$MFT
Original Path: C:\$Extend\$UsnJrnl\$J
Query: /$Extend/$UsnJrnl/$J
Original Path: C:\Windows\System32\winevt\Logs
Query: /Windows/System32/winevt/Logs
Queries will be expanded in the future.
If you have any questions, please feel free to submit an issue.
Example
The target path can either be standalone or within a directory.
In the case of a directory, it recursively dumps the files within it.
$ ntfsdump /Windows/System32/winevt/Logs -o ./dump ./path/to/your/imagefile.raw
extracting from E01 image (included splited-E01).
$ ls
imagefile.E01
imagefile.E02
imagefile.E03
imagefile.E04
imagefile.E05
$ ntfsdump /Windows/System32/winevt/Logs --type=e01 -o ./dump ./path/to/your/imagefile.E01
When use with ntfsfind
https://github.com/sumeshi/ntfsfind
$ ntfsfind '.*\.evtx' ./path/to/your/imagefile.raw | ntfsdump ./path/to/your/imagefile.raw
Options
--help, -h:
Display the help message and exit.
--version, -v:
Display the program's version number and exit.
--quiet, -q:
Flag to suppress standard output.
--nolog:
Flag to prevent any logs from being output.
--volume-num, -n:
NTFS volume number (default: autodetect).
--type, -t:
Image file format (default: raw(dd-format)).
Supported formats are (raw|e01|vhd|vhdx|vmdk).
--output-path, -o:
Output directory or file path.
If the target path is a directory, the directory specified by --output-path is created, and the target files are dumped under it.
Otherwise, the file is dumped with the filename specified in --output-path.
Execution Environment
You can run ntfsdump in the following environments:
Windows: Precompiled binaries for Windows are available in the GitHub releases section.
Ubuntu: Precompiled binaries for Linux are also available in the GitHub releases section.
Python: If you prefer to run ntfsdump using Python, it is compatible with Python 3.11 and later versions (3.12 and above).
Make sure to choose the installation method that best suits your platform and requirements.
Installation
from PyPI
$ pip install ntfsdump
from GitHub Releases
The version compiled into a binary using Nuitka is also available for use.
$ chmod +x ./ntfsdump
$ ./ntfsdump {{options...}}
> ntfsdump.exe {{options...}}
NTFS File Prerequisites
The image file to be processed must meet the following conditions:
- The file format must be raw, e01, vhd, vhdx, or vmdk.
- It must use the NTFS (NT File System).
- It must have a GUID Partition Table (GPT).
Additional file formats will be added in the future.
If you have any questions, please feel free to submit an issue.
Log Format
ntfsdump outputs logs in the following format.
By default, it outputs the files to the current directory, but if you do not need them, please use the --nolog option.
- ntfsdump v{{version}} -
2022-01-01T00:00:00.000000: [{{EventName}}] {{Description}}
2022-01-01T00:00:00.000000: [{{EventName}}] {{Description}}
2022-01-01T00:00:00.000000: [{{EventName}}] {{Description}}
...
Contributing
The source code for ntfsdump is hosted at GitHub, and you may download, fork, and review it from this repository(https://github.com/sumeshi/ntfsdump).
Please report issues and feature requests. :sushi: :sushi: :sushi:
License
ntfsdump is released under the LGPLv3+ License.
Powered by following libraries.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file ntfsdump-2.5.3.tar.gz.
File metadata
- Download URL: ntfsdump-2.5.3.tar.gz
- Upload date:
- Size: 23.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.7.1 CPython/3.11.6 Linux/6.2.0-1016-azure
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 74d4d2ca895fddee2c18dcbffc9fdc252e80dbc971947420fb6879044d355340 |
|
| MD5 | 4909a5ade476e9d94ddad6eff39e878b |
|
| BLAKE2b-256 | 8db0da93c8350d1ad2eeafbe0faf6f8b4f42a21c4f76a817516413cb101ac745 |
File details
Details for the file ntfsdump-2.5.3-py3-none-any.whl.
File metadata
- Download URL: ntfsdump-2.5.3-py3-none-any.whl
- Upload date:
- Size: 25.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.7.1 CPython/3.11.6 Linux/6.2.0-1016-azure
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 66691344a9e7d0a4a200c0b5d2fd3349fa82144d5968b02c5bd4eda6461a6707 |
|
| MD5 | e376824190815a40f6cd86237b938bf3 |
|
| BLAKE2b-256 | 3d894a6777d3acace4494cb4c8f2323d881b2df0cfa10dc85c9e599e6bfe2ed5 |
