ntfsdump 2.0.1

A tool for exporting any files from an NTFS volume on a Raw Image file.

ntfsdump

A tool for exporting any files from an NTFS volume on a Raw Image file.

Usage

$ ntfsdump <dump_target_winpath> --output-path <ouput_path> ./path/to/your/imagefile.raw

from ntfsfind import ntfsfind

# imagefile_path: str
# output_path: str
# target_queries: List[str]
# volume_num: Optional[int] = None

ntfsdump(
    imagefile_path='./path/to/your/imagefile.raw',
    output_path='./path/to/output/directory',
    target_queries=['/Windows/System32/winevt/Logs'],
    volume_num=2
)

Example

The target path can be either alone or in a directory. In the case of a directory, it dumps the lower files recursively.

$ ntfsdump /Windows/System32/winevt/Logs -o ./dump ./path/to/your/imagefile.raw

When use with ntfsfind

https://github.com/sumeshi/ntfsfind

$ ntfsfind '.*\.evtx' ./path/to/your/imagefile.raw | ntfsdump ./path/to/your/imagefile.raw

Options

--volume-num, -n:
    NTFS volume number(default: autodetect).

--output-path, -o:
    Output directory or file path.

    If the target Path is a directory, the directory specified by --output-path is created and the target files is dump under it.

    Otherwise, the file is dumped with the file name specified in the --output-path.)

Installation

via PyPI

$ pip install ntfsdump

Run with Docker

https://hub.docker.com/r/sumeshi/ntfsdump

$ docker run -t --rm -v $(pwd):/app/work sumeshi/ntfsdump:latest '/$MFT' /app/work/sample.raw

Contributing

The source code for ntfsdump is hosted at GitHub, and you may download, fork, and review it from this repository(https://github.com/sumeshi/ntfsdump).

Please report issues and feature requests. :sushi: :sushi: :sushi:

License

ntfsdump is released under the MIT License.

Powered by pytsk3.