Skip to main content

An efficient tool for search files, directories, and alternate data streams directly from NTFS image files.

Project description

ntfsfind

LGPLv3+ License PyPI version Python Versions

ntfsfind

An efficient tool for search files, directories, and alternate data streams directly from NTFS image files.

Usage

ntfsfind can be executed from the command line or incorporated into a Python script.

$ ntfsfind {{query_regex}} /path/to/imagefile.raw
from ntfsfind import ntfsfind

# imagefile_path: str
# search_query: str
# volume_num: Optional[int] = None
# file_type: Literal['raw', 'e01', 'vhd', 'vhdx', 'vmdk'] = 'raw'
# multiprocess: bool = False
#
# -> List[str]

records = ntfsfind(
    imagefile_path='./path/to/your/imagefile.raw',
    search_query='.*\.evtx',
    volume_num=2,
    file_type='raw',
    multiprocess=False
)

for record in records:
    print(record)

Query

This tool allows you to search for file, directory, and ADS with regular expression queries.
Paths are separated by forward slashes (Unix/Linux-style) rather than backslashes (Windows-style).

e.g.

Original Path: C:\$MFT
Query: '/\$MFT'

# find Eventlogs
Query: '.*\.evtx'

# find Alternate Data Streams
Query: '.*:.*'

Example

This tool can directly extract and search for $MFT information from image files (RAW, E01, VHD, VHDX, VMDK) containing recorded NTFS volumes as follows.

$ ntfsfind '.*\.evtx' /path/to/imagefile.raw
Windows/System32/winevt/Logs/Setup.evtx
Windows/System32/winevt/Logs/Microsoft-Windows-All-User-Install-Agent%4Admin.evtx
Logs/Windows PowerShell.evtx
Logs/Microsoft-Windows-Winlogon%4Operational.evtx
Logs/Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx
Logs/Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx
Logs/Microsoft-Windows-UserPnp%4ActionCenter.evtx
Logs/Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx
Logs/Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx
Logs/Microsoft-Windows-SMBServer%4Security.evtx
Logs/Microsoft-Windows-SMBServer%4Connectivity.evtx
Logs/Microsoft-Windows-SMBServer%4Audit.evtx
Logs/Microsoft-Windows-SmbClient%4Security.evtx
Logs/Microsoft-Windows-SMBClient%4Operational.evtx
Logs/Microsoft-Windows-Shell-Core%4ActionCenter.evtx
Logs/Microsoft-Windows-SettingSync%4Operational.evtx
...

When use with ntfsdump

When combined with ntfsdump, the retrieved files can be directly dumped from the image file.

$ ntfsfind '.*\.evtx' /path/to/imagefile.raw | ntfsdump /path/to/your/imagefile

ntfsfind and ntfsdump are compatible if they share the same major and minor versions. For instance, they can be used together if both are version 2.5.x.

https://github.com/sumeshi/ntfsdump

Options

--help, -h:
    Display the help message and exit.

--version, -v:
    Show the program's version number and exit.

--volume-num, -n:
    Specify the NTFS volume number (default is autodetect).

--type, -t:
    Set the image file format (default is raw(dd-format)).
    Supported formats include raw, e01, vhd, vhdx, and vmdk.

--ignore-case, -i:
    Enable case-insensitive search.

--multiprocess, -m:
    Enable multiprocessing for the operation.

Execution Environment

You can run ntfsfind in the following environments:

Windows: Precompiled binaries for Windows are available in the GitHub releases section.

Ubuntu: Precompiled binaries for Linux are also available in the GitHub releases section.

Python: If you prefer to run ntfsfind using Python, it is compatible with Python 3.11 and later versions (3.12 and above).

Make sure to choose the installation method that best suits your platform and requirements.

Installation

from PyPI

$ pip install ntfsfind

from GitHub Releases

The version compiled into a binary using Nuitka is also available for use.

$ chmod +x ./ntfsfind
$ ./ntfsfind {{options...}}
> ntfsfind .exe {{options...}}

NTFS File Prerequisites

The image file to be processed must meet the following conditions:

  • The file format must be raw, e01, vhd, vhdx, or vmdk.
  • It must use the NTFS (NT File System).
  • It must have a GUID Partition Table (GPT).

Additional file formats will be added in the future.
If you have any questions, please feel free to submit an issue.

Contributing

The source code for ntfsfind is hosted at GitHub, and you may download, fork, and review it from this repository(https://github.com/sumeshi/ntfsfind).
Please report issues and feature requests. :sushi: :sushi: :sushi:

License

ntfsfind is released under the LGPLv3+ License.

Powered by following libraries.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ntfsfind-2.5.0.tar.gz (18.4 kB view details)

Uploaded Source

Built Distribution

ntfsfind-2.5.0-py3-none-any.whl (20.0 kB view details)

Uploaded Python 3

File details

Details for the file ntfsfind-2.5.0.tar.gz.

File metadata

  • Download URL: ntfsfind-2.5.0.tar.gz
  • Upload date:
  • Size: 18.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.7.1 CPython/3.11.6 Linux/6.2.0-1016-azure

File hashes

Hashes for ntfsfind-2.5.0.tar.gz
Algorithm Hash digest
SHA256 d2ac8ea90c42bc76336dbfdc6f99691e9f28b9cd0634f9da2176d57208e530d3
MD5 4b6897ffee9e7fe7429289c684260171
BLAKE2b-256 63d8b7387c84e183b9b4d75a66a54433e4365f2eed30f2b24cec97fbda425e11

See more details on using hashes here.

File details

Details for the file ntfsfind-2.5.0-py3-none-any.whl.

File metadata

  • Download URL: ntfsfind-2.5.0-py3-none-any.whl
  • Upload date:
  • Size: 20.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.7.1 CPython/3.11.6 Linux/6.2.0-1016-azure

File hashes

Hashes for ntfsfind-2.5.0-py3-none-any.whl
Algorithm Hash digest
SHA256 677338b99354ea2d6fdcf1a4b7cb9f865ecc4f5c7aa48d6f14bd01b981794de4
MD5 53732e9f468f31f1077443240c8cbe49
BLAKE2b-256 47ab305dbf66eac83972426b75ab13cad450aafd7bd8461e3940e83d2aabc028

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page