DEV Community

Cover image for Extraction of Artifacts from an NTFS Image File Using ntfsdump and ntfsfind

Posted on

Extraction of Artifacts from an NTFS Image File Using ntfsdump and ntfsfind


This guide presents the procedure for extracting files, directories, and alternate data streams (hereinafter referred to as artifacts) from a preserved NTFS image file. This software supports formats such as dd(raw), e01, vmdk, etc.

For image files used in virtual machines like vmdk, please note that this software does not support cases where the image is segmented due to snapshotting or other reasons.

Quick Start

Below is a command to extract the $MFT from a dd(raw) format image file named ntfs.raw.

Specify the search query as the first argument in Unix/Linux path format.
This procedure is the same when using Windows.


$ ./ntfsdump '/$MFT' ./ntfs.raw
Enter fullscreen mode Exit fullscreen mode


> ntfsdump.exe "/$MFT" .\ntfs.raw
Enter fullscreen mode Exit fullscreen mode

Detailed Operation Procedures

The following are the detailed operation procedures.

The examples below are primarily for the Linux version, but if you are using Windows, please refer to the repository's README to interpret them accordingly.

Search and Extraction

To search for and extract artifacts simultaneously, use ntfsfind in combination. Below is an example of searching for and saving Windows Event Logs (.evtx format).

Executing Search and Extraction Individually

Regular expressions can be used for searching.
The search results are outputted one artifact per line to the standard output.

$ ./ntfsfind '.*\.evtx' ./ntfs.raw
Enter fullscreen mode Exit fullscreen mode
$ ./ntfsdump '/Windows/System32/winevt/Logs/Hoge.evtx' ./ntfs.raw
Enter fullscreen mode Exit fullscreen mode

Passing Search Results via Pipeline

You can also directly pass the ntfsfind search results via a pipeline.

$ ./ntfsfind '.*\.evtx' ./ntfs.raw | ./ntfsdump ./ntfs.raw
Enter fullscreen mode Exit fullscreen mode

If you have already decided on the items to extract, you can pass them from a file as well.

$ cat ./artifacts.lst | ./ntfsdump ./ntfs.raw
Enter fullscreen mode Exit fullscreen mode

Installation Methods

Execution Using Binaries (Recommended)

Binaries for Windows and Linux(Ubuntu) are available on GitHub Releases.
Please download the binaries from the page linked below and execute them.

Be aware that the software may be detected by some antivirus software, such as Windows Security. This is due to the use of Nuitka, which compiles Python code into an executable file.

If you are concerned, please refer to the Installation from Source Code below, or run it in an isolated virtual environment.

Installation from PyPI (Recommended)

Supports Python 3.11 and above.
To install, execute the following command.

$ pip install ntfsdump ntfsfind
Enter fullscreen mode Exit fullscreen mode

Installation from Source Code

Obtain the source code directly from GitHub and execute it.
Since poetry is used for managing dependencies, please use it for installation.

# Download source code from GitHub
$ git pull
$ cd ntfsdump

# Install dependencies
$ pip install poetry
$ poetry install

# Run command using poetry
$ poetry run ntfsdump -h
Enter fullscreen mode Exit fullscreen mode

Differences from Existing Software

Compared to software like Autopsy or FTK Imager, which allow GUI-based extraction while viewing the file tree, or the multifunctional SleuthKit which is a well-known CUI tool, the functionality of ntfsdump and ntfsfind may seem limited. However, the purpose of these two tools is not to be integrated forensic tools but to be minimal tools that accomplish their tasks with a single binary.

We hope these tools will be useful for automating investigations or for quick checks.


ntfsdump and ntfsfind are tools under development.
If you are interested in this product, we would be pleased if you could send issues and pull requests on GitHub.

This article was translated by GPT-4.

Top comments (0)