Skip to main content

An efficient tool for search files, directories, and alternate data streams directly from NTFS image files.

Project description

ntfsfind

LGPLv3+ License PyPI version Python Versions

ntfsfind logo

An efficient tool for search files, directories, and alternate data streams directly from NTFS image files.

🚀 Overview

ntfsfind allows digital forensic investigators and incident responders to seamlessly search for records from disk images using regular expressions without needing to mount them. By leveraging powerful backend libraries, it supports reading from standard disk image formats (RAW, E01, VHD(x), VMDK) and reliably parses NTFS structures.

📦 Features

  • Direct Search: Avoid mounting overhead by searching files directly from NTFS partitions.
  • Support Multiple Formats: Read from .raw, .e01, .vhd, .vhdx, and .vmdk.
  • Regex Queries: Find exact files and directories querying with Regular Expressions (partial matching is used by default, similar to grep).
  • Alternate Data Stream (ADS): Supports finding hidden alternate data streams.
  • Use as a CLI or Python Module: Highly flexible to integrate into other automated tools.

⚙️ Execution Environment

  • Python: Compatible with Python 3.13+.
  • Precompiled Binaries: Available for both Windows and Linux in the GitHub releases section.

📂 Installation

# From PyPI
pip install ntfsfind

# Form GitHub Releases (Precompiled Binaries)
chmod +x ./ntfsfind
./ntfsfind --help

# execution via bat on Windows
> ntfsfind.exe --help

🛠️ Requirements & File Prerequisites

The image file must meet the following conditions:

  • Formats: raw, e01, vhd, vhdx, vmdk.
  • File System: NTFS.
  • Partition Table: GPT (MBR will usually be auto-detected, but GPT is officially supported).

💻 Usage

Command Line Interface

You can pass arguments directly into the CLI. Paths are separated by forward slashes (/, Unix/Linux-style) rather than backslashes (\, Windows-style).

ntfsfind [OPTIONS] <IMAGE> [SEARCH_QUERY]

Options:

  • --help, -h: Show help message.
  • --version, -V: Display program version.
  • --volume, -n: Target specific NTFS volume number (default: auto-detects main OS volume).
  • --format, -f: Image file format (default: raw). Options: raw, e01, vhd, vhdx, vmdk.
  • --ignore-case, -i: Enable case-insensitive search.
  • --fixed-strings, -F: Interpret search query as a literal fixed string instead of a regular expression.
  • --multiprocess, -m: Enable multiprocessing for the operation.
  • --out-mft: Export the parsed $MFT raw bytes to the specified file path.

Examples

Find Eventlogs:

$ ntfsfind ./path/to/your/image.raw '.*\.evtx'
/Windows/System32/winevt/Logs/Setup.evtx
/Windows/System32/winevt/Logs/Microsoft-Windows-All-User-Install-Agent%4Admin.evtx
/Logs/Windows PowerShell.evtx
/Logs/Microsoft-Windows-Winlogon%4Operational.evtx
/Logs/Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx
...

Find the original $MFT file and files in its path:

$ ntfsfind ./path/to/your/image.raw '\$MFT'
/$MFT
/$MFTMirr

Find Alternate Data Streams:

$ ntfsfind ./path/to/your/image.raw '.*:.*'

Export MFT and search directly from it (faster caching):

# 1. Export MFT from the image (search query can be omitted)
$ ntfsfind --out-mft /tmp/my_mft.bin ./path/to/your/image.raw

# 2. Later you can query the dumped MFT file instead of the heavy image!
$ ntfsfind -F /tmp/my_mft.bin '.evtx'

Working with ntfsdump

When combined with ntfsdump, the retrieved files can be directly dumped from the image file over standard input (pipe). ntfsfind and ntfsdump are compatible if they share the same major and minor versions (e.g. they can be used together if both are version 3.0.x).

$ ntfsfind ./path/to/imagefile.raw '.*\.evtx' | ntfsdump ./path/to/your/imagefile.raw

Python Module

You can incorporate ntfsfind logic into your own scripts.

from ntfsfind import ntfsfind

# image: str
# search_query: str
# volume: Optional[int] = None
# format: Literal['raw', 'e01', 'vhd', 'vhdx', 'vmdk'] = 'raw'
# multiprocess: bool = False
# ignore_case: bool = False
# fixed_strings: bool = False
# out_mft: Optional[str] = None
#
# -> List[str]

records = ntfsfind(
    image='./path/to/your/imagefile.raw',
    search_query='.*\.evtx',
    volume=2,
    format='raw',
    multiprocess=False,
    ignore_case=True,
    fixed_strings=False,
    out_mft='/tmp/dumped_mft.bin'
)

for record in records:
    print(record)

🤝 Contributing

We welcome reports, issues, and feature requests. Please do so on the GitHub repository. :sushi: :sushi: :sushi:

📜 License

Released under the LGPLv3+ License.

Powered by:

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ntfsfind-3.0.3.tar.gz (40.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ntfsfind-3.0.3-py3-none-any.whl (21.7 kB view details)

Uploaded Python 3

File details

Details for the file ntfsfind-3.0.3.tar.gz.

File metadata

  • Download URL: ntfsfind-3.0.3.tar.gz
  • Upload date:
  • Size: 40.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.10.4 {"installer":{"name":"uv","version":"0.10.4","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for ntfsfind-3.0.3.tar.gz
Algorithm Hash digest
SHA256 9d4d2d08f680070edd248526585ffa560c4d4ea3f11963f607a18b48be0893ad
MD5 23f4c7dbc03877417cc75521b80582ea
BLAKE2b-256 654545ac22721c07462f72a7749a126f866ea1e251ecab0383b73adec2bfacf7

See more details on using hashes here.

File details

Details for the file ntfsfind-3.0.3-py3-none-any.whl.

File metadata

  • Download URL: ntfsfind-3.0.3-py3-none-any.whl
  • Upload date:
  • Size: 21.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.10.4 {"installer":{"name":"uv","version":"0.10.4","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for ntfsfind-3.0.3-py3-none-any.whl
Algorithm Hash digest
SHA256 af70f48be721b30693c5ebcb82939aa9159469cea4c1901ffb45fd0afa783350
MD5 e32cf51f03feedf06f2a5dde3e415c0f
BLAKE2b-256 ed5f123ad3817fe52db0433cb89e2238935597e479da9fd3c1457177910e6f3b

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page