This guide presents the procedure for extracting files, directories, and alternate data streams (hereinafter referred to as artifacts) from a preserved NTFS image file. This software supports formats such as dd(raw), e01, vmdk, etc.
For image files used in virtual machines like vmdk, please note that this software does not support cases where the image is segmented due to snapshotting or other reasons.
Below is a command to extract the
$MFT from a dd(raw) format image file named
Specify the search query as the first argument in Unix/Linux path format.
This procedure is the same when using Windows.
$ ./ntfsdump '/$MFT' ./ntfs.raw
> ntfsdump.exe "/$MFT" .\ntfs.raw
The following are the detailed operation procedures.
The examples below are primarily for the Linux version, but if you are using Windows, please refer to the repository's README to interpret them accordingly.
To search for and extract artifacts simultaneously, use ntfsfind in combination. Below is an example of searching for and saving Windows Event Logs (.evtx format).
Regular expressions can be used for searching.
The search results are outputted one artifact per line to the standard output.
$ ./ntfsfind '.*\.evtx' ./ntfs.raw
$ ./ntfsdump '/Windows/System32/winevt/Logs/Hoge.evtx' ./ntfs.raw
You can also directly pass the ntfsfind search results via a pipeline.
$ ./ntfsfind '.*\.evtx' ./ntfs.raw | ./ntfsdump ./ntfs.raw
If you have already decided on the items to extract, you can pass them from a file as well.
$ cat ./artifacts.lst | ./ntfsdump ./ntfs.raw
Binaries for Windows and Linux(Ubuntu) are available on GitHub Releases.
Please download the binaries from the page linked below and execute them.
Be aware that the software may be detected by some antivirus software, such as Windows Security. This is due to the use of Nuitka, which compiles Python code into an executable file.
If you are concerned, please refer to the Installation from Source Code below, or run it in an isolated virtual environment.
Supports Python 3.11 and above.
To install, execute the following command.
$ pip install ntfsdump ntfsfind
Obtain the source code directly from GitHub and execute it.
Since poetry is used for managing dependencies, please use it for installation.
# Download source code from GitHub
$ git pull https://github.com/sumeshi/ntfsdump
$ cd ntfsdump
# Install dependencies
$ pip install poetry
$ poetry install
# Run command using poetry
$ poetry run ntfsdump -h
Compared to software like Autopsy or FTK Imager, which allow GUI-based extraction while viewing the file tree, or the multifunctional SleuthKit which is a well-known CUI tool, the functionality of ntfsdump and ntfsfind may seem limited. However, the purpose of these two tools is not to be integrated forensic tools but to be minimal tools that accomplish their tasks with a single binary.
We hope these tools will be useful for automating investigations or for quick checks.
ntfsdump and ntfsfind are tools under development.
If you are interested in this product, we would be pleased if you could send issues and pull requests on GitHub.
This article was translated by GPT-4.