msuhanov / dfir_ntfs Goto Github PK
View Code? Open in Web Editor NEWAn NTFS/FAT parser for digital forensics & incident response
License: GNU General Public License v3.0
dfir_ntfs's Introduction
dfir_ntfs: an NTFS/FAT parser for digital forensics & incident response (Python 3 only.) 1. Project goals - Parse $MFT, $UsnJrnl:$J, $LogFile files, extract as much data as possible. - Parse volumes, volume images, and volume shadow copies. - Parse FAT12/16/32, exFAT volumes. 2. Installation # pip3 install https://github.com/msuhanov/dfir_ntfs/archive/1.1.18.tar.gz 3. Timestamps All timestamps reported by the tools are in UTC. (For FAT file systems, all timestamps are local or UTC, returned as is.) The MACE notation is used: - modified (M), - last accessed (A), - created (C), - $MFT entry modified (E). In the WSL set of timestamps (and FAT): - inode changed (CH). 4. License This project is made available under the terms of the GNU GPL, version 3. See the 'License' file. The first exception is the "nist-hacking-case.mft" file. This file is from the NIST Hacking Case, which is distributed by NIST. See the 'Use of NIST Information' section here: <https://www.nist.gov/disclaimer>. The second exception is boot code embedded in some test data. This code is not covered by the GNU GPL, version 3. (All exceptions are in the "test_data" directory, which is not installed.) --- (c) Maxim Suhanov
dfir_ntfs's People
Contributors
Stargazers
Watchers
Forkers
n4rr34n6 gavz lfbernardo dnhdang94 m00zh33 jack51706 3v1lw1th1n 4w50m3d3v516n3r emsaks franklin972000 akpotter cybermonitor sim4n6 hartl3y94 y0d4a fiskeren lookuptables l1kw1d zha0 5l1v3r1 masterscott ethanzby safasuyur sts0mrg0 andrewrathbun revans-101 minhtranca park1656 4144 dekoder nickborchers tony7466 stephen-murcottdfir_ntfs's Issues
NTFS_parser --all-mft in action
Just a small question, performing ntfs_parser --all-mft <input file (raw image)> <volume offset (in bytes)> <output file (CSV)> will produce a single CSV file of a merged $MFT from the main volume and the different VSS ?
Missing Path values for some files/dirs
This small MFT when it get parsed using the script ntfs_parser. It produces an CSV with some records without Path name.
Records are : 3377699720527884 - 3659174697238541- 3940649673949198 - 4222124650659855
I'm not sure if it is anomaly, but I am sharing it any way for testing purpose.
Project states it is GPL but license notices are missing from source files
Project states it is GPL but license notices are missing from source files
See https://www.gnu.org/licenses/gpl-howto.en.html on how to use the GPL
E.g. the start of https://github.com/msuhanov/dfir_ntfs/blob/master/ntfs_parser should contain:
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
installation KO with pip but OK with setup.py
hi,
I followed the instructions with pip but I get an error :
# pip install https://github.com/msuhanov/dfir_ntfs/archive/1.1.0.tar.gz
Collecting https://github.com/msuhanov/dfir_ntfs/archive/1.1.0.tar.gz
Using cached https://github.com/msuhanov/dfir_ntfs/archive/1.1.0.tar.gz
ERROR: Exception:
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/pip/_internal/cli/base_command.py", line 223, in _main
status = self.run(options, args)
File "/usr/lib/python3.9/site-packages/pip/_internal/cli/req_command.py", line 180, in wrapper
return func(self, options, args)
File "/usr/lib/python3.9/site-packages/pip/_internal/commands/install.py", line 320, in run
requirement_set = resolver.resolve(
File "/usr/lib/python3.9/site-packages/pip/_internal/resolution/resolvelib/resolver.py", line 121, in resolve
self._result = resolver.resolve(
File "/usr/lib/python3.9/site-packages/resolvelib/resolvers.py", line 454, in resolve
state = resolution.resolve(requirements, max_rounds=max_rounds)
File "/usr/lib/python3.9/site-packages/resolvelib/resolvers.py", line 319, in resolve
name, crit = self._merge_into_criterion(r, parent=None)
File "/usr/lib/python3.9/site-packages/resolvelib/resolvers.py", line 176, in _merge_into_criterion
crit = Criterion.from_requirement(self._p, requirement, parent)
File "/usr/lib/python3.9/site-packages/resolvelib/resolvers.py", line 80, in from_requirement
cands = build_iter_view(matches)
File "/usr/lib/python3.9/site-packages/resolvelib/structs.py", line 148, in build_iter_view
matches = list(matches)
File "/usr/lib/python3.9/site-packages/pip/_internal/resolution/resolvelib/factory.py", line 285, in <genexpr>
if constraint.is_satisfied_by(c)
File "/usr/lib/python3.9/site-packages/pip/_internal/resolution/resolvelib/base.py", line 66, in is_satisfied_by
return self.specifier.contains(candidate.version, prereleases=True)
File "/usr/lib/python3.9/site-packages/packaging/specifiers.py", line 790, in contains
item = parse(item)
File "/usr/lib/python3.9/site-packages/packaging/version.py", line 57, in parse
return Version(version)
File "/usr/lib/python3.9/site-packages/packaging/version.py", line 296, in __init__
match = self._regex.search(version)
TypeError: expected string or bytes-like objecton the other hand, the installation with python setup.py install works perfectly :
# python setup.py install
running install
/usr/lib/python3.9/site-packages/setuptools/command/install.py:34: SetuptoolsDeprecationWarning: setup.py install is deprecated. Use build and pip and other standards-based tools.
warnings.warn(
/usr/lib/python3.9/site-packages/setuptools/command/easy_install.py:156: EasyInstallDeprecationWarning: easy_install command is deprecated. Use build and pip and other standards-based tools.
warnings.warn(
running bdist_egg
running egg_info
writing dfir_ntfs.egg-info/PKG-INFO
writing dependency_links to dfir_ntfs.egg-info/dependency_links.txt
writing requirements to dfir_ntfs.egg-info/requires.txt
writing top-level names to dfir_ntfs.egg-info/top_level.txt
reading manifest file 'dfir_ntfs.egg-info/SOURCES.txt'
writing manifest file 'dfir_ntfs.egg-info/SOURCES.txt'
installing library code to build/bdist.linux-x86_64/egg
running install_lib
running build_py
creating build/bdist.linux-x86_64/egg
creating build/bdist.linux-x86_64/egg/dfir_ntfs
creating build/bdist.linux-x86_64/egg/dfir_ntfs/addons
copying build/lib/dfir_ntfs/addons/FAT.py -> build/bdist.linux-x86_64/egg/dfir_ntfs/addons
copying build/lib/dfir_ntfs/addons/__init__.py -> build/bdist.linux-x86_64/egg/dfir_ntfs/addons
copying build/lib/dfir_ntfs/Attributes.py -> build/bdist.linux-x86_64/egg/dfir_ntfs
copying build/lib/dfir_ntfs/BootSector.py -> build/bdist.linux-x86_64/egg/dfir_ntfs
copying build/lib/dfir_ntfs/LogFile.py -> build/bdist.linux-x86_64/egg/dfir_ntfs
copying build/lib/dfir_ntfs/MFT.py -> build/bdist.linux-x86_64/egg/dfir_ntfs
copying build/lib/dfir_ntfs/MoveTable.py -> build/bdist.linux-x86_64/egg/dfir_ntfs
copying build/lib/dfir_ntfs/PartitionTable.py -> build/bdist.linux-x86_64/egg/dfir_ntfs
copying build/lib/dfir_ntfs/ShadowCopy.py -> build/bdist.linux-x86_64/egg/dfir_ntfs
copying build/lib/dfir_ntfs/USN.py -> build/bdist.linux-x86_64/egg/dfir_ntfs
copying build/lib/dfir_ntfs/WSL.py -> build/bdist.linux-x86_64/egg/dfir_ntfs
copying build/lib/dfir_ntfs/__init__.py -> build/bdist.linux-x86_64/egg/dfir_ntfs
byte-compiling build/bdist.linux-x86_64/egg/dfir_ntfs/addons/FAT.py to FAT.cpython-39.pyc
byte-compiling build/bdist.linux-x86_64/egg/dfir_ntfs/addons/__init__.py to __init__.cpython-39.pyc
byte-compiling build/bdist.linux-x86_64/egg/dfir_ntfs/Attributes.py to Attributes.cpython-39.pyc
byte-compiling build/bdist.linux-x86_64/egg/dfir_ntfs/BootSector.py to BootSector.cpython-39.pyc
byte-compiling build/bdist.linux-x86_64/egg/dfir_ntfs/LogFile.py to LogFile.cpython-39.pyc
byte-compiling build/bdist.linux-x86_64/egg/dfir_ntfs/MFT.py to MFT.cpython-39.pyc
byte-compiling build/bdist.linux-x86_64/egg/dfir_ntfs/MoveTable.py to MoveTable.cpython-39.pyc
byte-compiling build/bdist.linux-x86_64/egg/dfir_ntfs/PartitionTable.py to PartitionTable.cpython-39.pyc
byte-compiling build/bdist.linux-x86_64/egg/dfir_ntfs/ShadowCopy.py to ShadowCopy.cpython-39.pyc
byte-compiling build/bdist.linux-x86_64/egg/dfir_ntfs/USN.py to USN.cpython-39.pyc
byte-compiling build/bdist.linux-x86_64/egg/dfir_ntfs/WSL.py to WSL.cpython-39.pyc
byte-compiling build/bdist.linux-x86_64/egg/dfir_ntfs/__init__.py to __init__.cpython-39.pyc
creating build/bdist.linux-x86_64/egg/EGG-INFO
installing scripts to build/bdist.linux-x86_64/egg/EGG-INFO/scripts
running install_scripts
running build_scripts
creating build/bdist.linux-x86_64/egg/EGG-INFO/scripts
copying build/scripts-3.9/fat_parser -> build/bdist.linux-x86_64/egg/EGG-INFO/scripts
copying build/scripts-3.9/vsc_mount -> build/bdist.linux-x86_64/egg/EGG-INFO/scripts
copying build/scripts-3.9/ntfs_parser -> build/bdist.linux-x86_64/egg/EGG-INFO/scripts
changing mode of build/bdist.linux-x86_64/egg/EGG-INFO/scripts/fat_parser to 755
changing mode of build/bdist.linux-x86_64/egg/EGG-INFO/scripts/vsc_mount to 755
changing mode of build/bdist.linux-x86_64/egg/EGG-INFO/scripts/ntfs_parser to 755
copying dfir_ntfs.egg-info/PKG-INFO -> build/bdist.linux-x86_64/egg/EGG-INFO
copying dfir_ntfs.egg-info/SOURCES.txt -> build/bdist.linux-x86_64/egg/EGG-INFO
copying dfir_ntfs.egg-info/dependency_links.txt -> build/bdist.linux-x86_64/egg/EGG-INFO
copying dfir_ntfs.egg-info/requires.txt -> build/bdist.linux-x86_64/egg/EGG-INFO
copying dfir_ntfs.egg-info/top_level.txt -> build/bdist.linux-x86_64/egg/EGG-INFO
zip_safe flag not set; analyzing archive contents...
creating 'dist/dfir_ntfs-1.1.0-py3.9.egg' and adding 'build/bdist.linux-x86_64/egg' to it
removing 'build/bdist.linux-x86_64/egg' (and everything under it)
Processing dfir_ntfs-1.1.0-py3.9.egg
Removing /usr/lib/python3.9/site-packages/dfir_ntfs-1.1.0-py3.9.egg
Copying dfir_ntfs-1.1.0-py3.9.egg to /usr/lib/python3.9/site-packages
dfir-ntfs 1.1.0 is already the active version in easy-install.pth
Installing fat_parser script to /usr/bin
Installing ntfs_parser script to /usr/bin
Installing vsc_mount script to /usr/bin
Installed /usr/lib/python3.9/site-packages/dfir_ntfs-1.1.0-py3.9.egg
Processing dependencies for dfir-ntfs==1.1.0
Finished processing dependencies for dfir-ntfs==1.1.0regards, lacsaP.
llfuse dependencies
vsc_mount requires llfuse, which is not stated in setup.py
Suggest adding: install_requires=['llfuse', ]
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.