- Notifications
You must be signed in to change notification settings - Fork1
An efficient tool for search files, directories, and alternate data streams directly from NTFS image files.
License
GPL-3.0, LGPL-3.0 licenses found
Licenses found
sumeshi/ntfsfind
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
An efficient tool for search files, directories, and alternate data streams directly from NTFS image files.
ntfsfind can be executed from the command line or incorporated into a Python script.
$ ntfsfind {{query_regex}} /path/to/imagefile.rawfromntfsfindimportntfsfind# imagefile_path: str# search_query: str# volume_num: Optional[int] = None# file_type: Literal['raw', 'e01', 'vhd', 'vhdx', 'vmdk'] = 'raw'# multiprocess: bool = False## -> List[str]records=ntfsfind(imagefile_path='./path/to/your/imagefile.raw',search_query='.*\.evtx',volume_num=2,file_type='raw',multiprocess=False)forrecordinrecords:print(record)
This tool allows you to search for file, directory, and ADS with regular expression queries.
Paths are separated by forward slashes (Unix/Linux-style) rather than backslashes (Windows-style).
e.g.
Original Path: C:\$MFTQuery: '/\$MFT'# find EventlogsQuery: '.*\.evtx'# find Alternate Data StreamsQuery: '.*:.*'This tool can directly extract and search for $MFT information from image files (RAW, E01, VHD, VHDX, VMDK) containing recorded NTFS volumes as follows.
$ ntfsfind'.*\.evtx' /path/to/imagefile.rawWindows/System32/winevt/Logs/Setup.evtxWindows/System32/winevt/Logs/Microsoft-Windows-All-User-Install-Agent%4Admin.evtxLogs/Windows PowerShell.evtxLogs/Microsoft-Windows-Winlogon%4Operational.evtxLogs/Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtxLogs/Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtxLogs/Microsoft-Windows-UserPnp%4ActionCenter.evtxLogs/Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtxLogs/Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtxLogs/Microsoft-Windows-SMBServer%4Security.evtxLogs/Microsoft-Windows-SMBServer%4Connectivity.evtxLogs/Microsoft-Windows-SMBServer%4Audit.evtxLogs/Microsoft-Windows-SmbClient%4Security.evtxLogs/Microsoft-Windows-SMBClient%4Operational.evtxLogs/Microsoft-Windows-Shell-Core%4ActionCenter.evtxLogs/Microsoft-Windows-SettingSync%4Operational.evtx...When use withntfsdump
When combined with ntfsdump, the retrieved files can be directly dumped from the image file.
$ ntfsfind'.*\.evtx' /path/to/imagefile.raw| ntfsdump /path/to/your/imagefile
ntfsfind and ntfsdump are compatible if they share the same major and minor versions. For instance, they can be used together if both are version 2.5.x.
https://github.com/sumeshi/ntfsdump
--help, -h: Display the help message and exit.--version, -v: Show the program's version number and exit.--volume-num, -n: Specify the NTFS volume number (default is autodetect).--type, -t: Set the image file format (default is raw(dd-format)). Supported formats include raw, e01, vhd, vhdx, and vmdk.--ignore-case, -i: Enable case-insensitive search.--multiprocess, -m: Enable multiprocessing for the operation.You can run ntfsfind in the following environments:
Windows: Precompiled binaries for Windows are available in the GitHub releases section.
Ubuntu: Precompiled binaries for Linux are also available in the GitHub releases section.
Python: If you prefer to run ntfsfind using Python, it is compatible with Python 3.11 and later versions (3.12 and above).
Make sure to choose the installation method that best suits your platform and requirements.
$ pip install ntfsfind
The version compiled into a binary using Nuitka is also available for use.
$ chmod +x ./ntfsfind$ ./ntfsfind {{options...}}> ntfsfind .exe {{options...}}The image file to be processed must meet the following conditions:
- The file format must be raw, e01, vhd, vhdx, or vmdk.
- It must use the NTFS (NT File System).
- It must have a GUID Partition Table (GPT).
Additional file formats will be added in the future.
If you have any questions, please feel free to submit an issue.
The source code for ntfsfind is hosted at GitHub, and you may download, fork, and review it from this repository(https://github.com/sumeshi/ntfsfind).
Please report issues and feature requests. 🍣 🍣 🍣
ntfsfind is released under theLGPLv3+ License.
Powered by following libraries.
About
An efficient tool for search files, directories, and alternate data streams directly from NTFS image files.