No project description provided

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for sumeshi from gravatar.com sumeshi

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT)
  • Author: sumeshi
  • Tags Windows
  • Requires: Python >=3.7, <4.0
Classifiers

Project description

ntfsfind

MIT License PyPI version Python Versions DockerHub Status

ntfsfind

A tool for search file paths from an NTFS volume on a Raw Image file.

Usage

$ ntfsfind <query_regex> ./path/to/your/imagefile.raw

from ntfsfind import ntfsfind

# imagefile_path: str
# search_query: str
# volume_num: Optional[int] = None
# multiprocess: bool = False
#
# -> List[str]

records = ntfsfind(
    imagefile_path='./path/to/your/imagefile.raw',
    search_query='.*\.evtx',
    volume_num=2,
    multiprocess=False
)

for record in records:
    print(record)

Example

Extracts $MFT information directly from image files in raw device mapping format.
ntfsfind can use regular expressions to search for files.

$ ntfsfind '.*\.evtx' ./path/to/your/imagefile.raw
Windows/System32/winevt/Logs/Setup.evtx
Windows/System32/winevt/Logs/Microsoft-Windows-All-User-Install-Agent%4Admin.evtx
Logs/Windows PowerShell.evtx
Logs/Microsoft-Windows-Winlogon%4Operational.evtx
Logs/Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx
Logs/Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx
Logs/Microsoft-Windows-UserPnp%4ActionCenter.evtx
Logs/Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx
Logs/Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx
Logs/Microsoft-Windows-SMBServer%4Security.evtx
Logs/Microsoft-Windows-SMBServer%4Connectivity.evtx
Logs/Microsoft-Windows-SMBServer%4Audit.evtx
Logs/Microsoft-Windows-SmbClient%4Security.evtx
Logs/Microsoft-Windows-SMBClient%4Operational.evtx
Logs/Microsoft-Windows-Shell-Core%4ActionCenter.evtx
Logs/Microsoft-Windows-SettingSync%4Operational.evtx
...

Options

--volume-num, -n: NTFS volume number(default: autodetect).
--multiprocess, -m: flag to run multiprocessing.

Installation

via PyPI

$ pip install ntfsfind

Run with Docker

https://hub.docker.com/r/sumeshi/ntfsfind

$ docker run -t --rm -v $(pwd):/app/work sumeshi/ntfsfind:latest '/\$MFT' /app/work/sample.raw

Contributing

The source code for ntfsfind is hosted at GitHub, and you may download, fork, and review it from this repository(https://github.com/sumeshi/ntfsfind).
Please report issues and feature requests. :sushi: :sushi: :sushi:

License

ntfsfind is released under the MIT License.

Powered by pytsk3.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for sumeshi from gravatar.com sumeshi

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT)
  • Author: sumeshi
  • Tags Windows
  • Requires: Python >=3.7, <4.0
Classifiers

Release history Release notifications | RSS feed

2.5.0

2.4.1

2.4.0

2.3.4

2.3.3

2.3.2

2.3.0

This version

2.1.1

2.1.0

2.0.0

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ntfsfind-2.1.1.tar.gz (4.2 kB view hashes)

Uploaded Source

Built Distribution

ntfsfind-2.1.1-py3-none-any.whl (4.2 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page