A tool for exporting any files from an NTFS volume on a Raw Image file.
Project description
ntfsdump
A tool for exporting any files from an NTFS volume on a Raw Image file.
Usage
$ ntfsdump <dump_target_winpath> --output-path <ouput_path> ./path/to/your/imagefile.raw
from ntfsfind import ntfsfind
# imagefile_path: str
# output_path: str
# target_queries: List[str]
# volume_num: Optional[int] = None
ntfsdump(
imagefile_path='./path/to/your/imagefile.raw',
output_path='./path/to/output/directory',
target_queries=['/Windows/System32/winevt/Logs'],
volume_num=2
)
Example
The target path can be either alone or in a directory. In the case of a directory, it dumps the lower files recursively.
$ ntfsdump /Windows/System32/winevt/Logs -o ./dump ./path/to/your/imagefile.raw
When use with ntfsfind
https://github.com/sumeshi/ntfsfind
$ ntfsfind '.*\.evtx' ./path/to/your/imagefile.raw | ntfsdump ./path/to/your/imagefile.raw
Options
--volume-num, -n:
NTFS volume number(default: autodetect).
--output-path, -o:
Output directory or file path.
If the target Path is a directory, the directory specified by --output-path is created and the target files is dump under it.
Otherwise, the file is dumped with the file name specified in the --output-path.)
Installation
via PyPI
$ pip install ntfsdump
Run with Docker
https://hub.docker.com/r/sumeshi/ntfsdump
$ docker run -t --rm -v $(pwd):/app/work sumeshi/ntfsdump:latest '/$MFT' /app/work/sample.raw
Contributing
The source code for ntfsdump is hosted at GitHub, and you may download, fork, and review it from this repository(https://github.com/sumeshi/ntfsdump).
Please report issues and feature requests. :sushi: :sushi: :sushi:
License
ntfsdump is released under the MIT License.
Powered by pytsk3.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
ntfsdump-2.0.1.tar.gz
(5.1 kB
view hashes)
