Home

Awesome

ntfs_parse

NTFS parser, plus linking capabilites between MFT LogFile and UsnJrnl This project is part of a research looking into the possibilities of combining the MFT, LogFile and UsnJrnl. The code is written from scratch and made open-source under the MIT license.

This proof-of-concept is not a commercial ready project.

Usage

There is a basic shell script which does all the basic parsing. This gives the user a quick output of files without knowing all the separate commands.

NOTE: Some subcommands/programs have a raw,parsed,csv,transactions choice. This gives a type of output. In case of the transaction option in the logfileparse.py this will connect the separate LSN together.

full_run.sh

Without a parameter the help information will be printed.

usage:

./full_run.sh image_name sector_offset directory

variabledescription
image_nameRaw disk image
sector_offsetoffset to partition in sectors (mmls could be used for this)
directoryrelative directory for file output

NOTE: this script needs The Sleuth Kit's (TSK) 'fls' program

mftparse.py

MFT parser This program exists out of multiple subcommands which makes it able to export specific inums, of extract the date which belongs to a specific inum.

usage:

mftparse.py [-h] {export,extractdata,statistics} ...

positional argumentsdescription
exportExport specific inums into a certain type
extractdataExtracts data for a single entry, essentially returning the file
statisticsShow statistics about this NTFS
optional argumentsdescription
-h, --helpshow this help message and exit

export

Export specific inums into a certain type

usage:

mftparse.py export [-h] [-o OFFSET_SECTORS | -O OFFSET_BYTES] [-s SECTOR_SIZE] [-i IMAGE | -f FILE] [-t {raw,parsed,csv}] [-e EXPORT_FILE] [-q INUMS]

optional argumentschoicedescription
-h, --helpNoneshow this help message and exit
-oOFFSET_SECTORSOffset into the image for the filesystem, in sectors
-OOFFSET_BYTESOffset into the image for the filesystem, in bytes
-sSECTOR_SIZEsector size (default=512)
-iIMAGEraw image file
-fFILEextracted $MFT file
-traw,parsed,csvType of export. Default=parsed
-eEXPORT_FILEName of destination file. If left out, stdout is used. Existing files will be overwritten.
-qINUMSSinge inum or range(s) of inums. Ranges are inclusive. Example: 0-11,24-34,40. Also possible: all. Default=all

extractdata

Extracts data for a single entry, essentially returning the file

usage:

mftparse.py extractdata [-h] [-o OFFSET_SECTORS | -O OFFSET_BYTES] [-s SECTOR_SIZE] [-i IMAGE | -f FILE] [-q INUM] [-a DATA_STREAM] [-e OUTPUT_FILE]

optional argumentschoicedescription
-h, --helpNoneshow this help message and exit
-oOFFSET_SECTORSOffset into the image for the filesystem, in sectors
-OOFFSET_BYTESOffset into the image for the filesystem, in bytes
-sSECTOR_SIZEsector size (default=512)
-iIMAGEraw image file
-fFILEextracted $MFT file
-qINUMInode number of the entry to extract data of
-aDATA_STREAM(Alternate) data stream. Default=0
-eOUTPUT_FILEName of file that will contain the data

statistics

Show statistics about this NTFS

usage:

mftparse.py statistics [-h] [-o OFFSET_SECTORS | -O OFFSET_BYTES] [-s SECTOR_SIZE] [-i IMAGE | -f FILE]

optional argumentschoicedescription
-h, --helpNoneshow this help message and exit
-oOFFSET_SECTORSOffset into the image for the filesystem, in sectors
-OOFFSET_BYTESOffset into the image for the filesystem, in bytes
-sSECTOR_SIZEsector size (default=512)
-iIMAGEraw image file
-fFILEextracted $MFT file

logfileparse.py

usage: ./logfileparse.py [-h] [-f FILE_NAME] [-e EXPORT_FILE] [-t {parsed,csv,transaction,parsedlsns}] [-d DUMP_DIR] [-n NUM] [-q LSNS] [-p]

optional argumentschoicedescription
-h, --helpNoneshow this help message and exit
-fFILE_NAMEextracted $DATA attribute of the $MFT $LogFile entry
-eEXPORT_FILEName of destination file. If left out, stdout is used. Existing files will be overwritten.
-tparsed,csv,transaction,parsedlsnsType of export. Default=parsed
-dDUMP_DIRDirectory for dumping incomplete parsed pages. Output in directory is full binary RCRD page of 4096 bytes. Default='./errorpages'
-nNUMNumber of pages to parse. If left out, all pages are parsed
-qLSNSSelect what LSN's to output (parsed). Comma separated.
-pNonePut program in performance measurement mode

usnjrnlparse.py

usage:

usnjrnlparse.py [-h] [-f FILE] [-e OUTPUT] [-n NUMBER]

optional argumentschoicedescription
-h, --helpNoneshow this help message and exit
-fFILEFile containing the UsnJrnl
-eOUTPUTOutput file
-nNUMBERNumber of records to parse. If left out, all will be parsed.

proof-of-concept.py

This program combines the separate parsers and generate a simple overview illustrating the possibilities of what can be reached when combining the different outputs.

usage:

proof-of-concept.py [-h] [-o OFFSET_SECTORS | -O OFFSET_BYTES] [-s SECTOR_SIZE] -i IMAGE [-d DUMP_DIR] [-q INUM] [--deleted]

optional argumentschoicedescription
-h, --helpNoneshow this help message and exit
-oOFFSET_SECTORSOffset into the image for the filesystem, in sectors
-OOFFSET_BYTESOffset into the image for the filesystem, in bytes
-sSECTOR_SIZEsector size (default=512)
-iIMAGEraw image file
-dDUMP_DIRDirectory for dumping incomplete parsed pages. Output in directory is full binary RCRD page of 4096 bytes. Default='./errorpages'
-qINUMMFT entry number (inum) to show data of
--deletedOnly show deleted data for MFT entry/entries

Usage examples

To do a full run using the example disk:

./full_run.sh disk_image/disk.raw 128 output

To generate a human-readable parsed output of the MFT do:

./mftparse.py export -i disk_image/disk.raw -o 128 -t parsed -e output/mft.parsed

Extracting the LogFile out of the MFT:

./mftparse.py extractdata -i disk_image/disk.raw -o 128 -q 2 -e output/logfile.raw

Parse the raw LogFile data into a .csv file:

./logfileparse.py -f output/logfile.raw -t csv -e output/logfile.csv

For the output of the proof-of-concept program piped to less:

./proof-of-concept.py -o 128 -i disk_image/disk.raw | less

For a specific inum do:

./proof-of-concept.py -o 128 -i disk_image/disk.raw -q 40 | less

For a specific inum, only showing historic information:

./proof-of-concept.py -o 128 -i disk_image/disk.raw -q 40 --deleted | less

Project structure

Short explanation of the directories in the repo.

Create diagram of code

To automatically create a class diagram from the Python3 code, do the following:

  1. apt-get install pylint3
  2. pyreverse3 ntfs_parse/
  3. dot -Tsvg classes_No_Name.dot -o classes.svg

Or for Debian Jessie, 8.2

  1. apt-get install python3-pip
  2. pip3 install pylint
  3. pyreverse ntfs_parse/
  4. dot -Tsvg classes_No_Name.dot -o classes.svg

The svg can be opened in Firefox