Find index entries in $INDEX_ALLOCATION attributes

Related tags

Testingincident-responseforensicsdfirntfsdigital-forensicsdigital-forensics-incident-response
Overview

INDXRipper

Find index entries in $INDEX_ALLOCATION attributes

screenshot

Timeline created using mactime.pl on the combined output of INDXRipper and fls.
See: sleuthkit

Motivation

$INDEX_ALLOCATION attributes are used by NTFS directories to store index entries for the files in the directory.

A file's index entry contains the following information:

  • File name
  • File size
  • Allocated size of file (size on disk)
  • A set of MACB timestamps

The slack space of these attributes may contain index entries of deleted files, even after thier MFT record was recycled. Finding these index entries may help you prove a file existed on a system.

How it works

INDXRipper scans the MFT for records of directories that have an $INDEX_ALLOCATION attribute. If it finds such a record, it searches the attribute for file references to this record. Since the index entries in the attribute represent children of the directory, the $FILE_NAME attributes in them must contain this file reference.

This way, It is able to find entries most other tools aren't.
Finding the full paths of directories is done by using the parent directory reference in $FILE_NAME attributes inside the MFT records.

Features and Details

These are pretty standard but here's a list anyways

  • Applies fixups for index records and mft records.
  • Supports $INDEX_ALLOCATION and $FILE_NAME attributes in extension records
  • Supports unicode filenames
  • Index entries from orphan directories are listed under "/$Orphan"
  • Provides bodyfile output for supertimeline creation
  • Works on live windows systems using the "\\.\" notation
  • All times outputted are UTC times

Installation

Python 3.8 or above is required.
Use the package manager pip to install construct.

pip install construct==2.10.56

Alternatively, you can use the Windows standalone executable.

Usage

# process dead disk image, get all index entries
python INDXRipper.py ntfs.part.001 output.csv

# process live system, slack space only, bodyfile output, append "C:" to all the paths
python INDXRipper.py -m C: --slack-only --bodyfile \\.\C: output.bodyfile

Limitations

Entries that are partially overitten may not be found. If they are found, though, the tool may give you false information

What this tool doesn't do

  • This tool doesn't process $INDEX_ROOT attributes. You won't see an output for every file on the volume
  • This tool doesn't carve $INDEX_ALLOCATION attributes. It won't find attributes that thier MFT entry was recycled.

License

MIT

You might also like...
Bleach is an allowed-list-based HTML sanitizing library that escapes or strips markup and attributes

Bleach Bleach is an allowed-list-based HTML sanitizing library that escapes or strips markup and attributes. Bleach can also linkify text safely, appl

Mozilla 2.5k Dec 29, 2022
Tweak the form field rendering in templates, not in python-level form definitions. CSS classes and HTML attributes can be altered.

django-widget-tweaks Tweak the form field rendering in templates, not in python-level form definitions. Altering CSS classes and HTML attributes is su

Jazzband 1.8k Jan 2, 2023
Allow foreign key attributes in list_display with '__'

django-related-admin Allow foreign key attributes in Django admin change list list_display with '__' This is based on DjangoSnippet 2996 which was mad

Petr Dlouhý 62 Nov 18, 2022
Tweak the form field rendering in templates, not in python-level form definitions. CSS classes and HTML attributes can be altered.

django-widget-tweaks Tweak the form field rendering in templates, not in python-level form definitions. Altering CSS classes and HTML attributes is su

Jazzband 1.8k Jan 6, 2023
Fader Networks: Manipulating Images by Sliding Attributes - NIPS 2017
Fader Networks: Manipulating Images by Sliding Attributes - NIPS 2017

FaderNetworks PyTorch implementation of Fader Networks (NIPS 2017). Fader Networks can generate different realistic versions of images by modifying at

Facebook Research 753 Dec 23, 2022
Bleach is an allowed-list-based HTML sanitizing library that escapes or strips markup and attributes

Bleach Bleach is an allowed-list-based HTML sanitizing library that escapes or strips markup and attributes. Bleach can also linkify text safely, appl

Mozilla 2.5k Dec 29, 2022
This is an example of how to automate Ridit Analysis for a dataset with large amount of questions and many item attributes

This is an example of how to automate Ridit Analysis for a dataset with large amount of questions and many item attributes

Ishan Hegde 1 Nov 17, 2021
dta Convert Dict To Attributes!

dta (Dict to Attributes) dta is very small dict (or json) to attributes converter. It is only have 1 files and applied to every python versions.

Rukchad Wongprayoon 0 Dec 31, 2021
SAN for Product Attributes Prediction
SAN for Product Attributes Prediction

SAN Heterogeneous Star Graph Attention Network for Product Attributes Prediction This repository contains the official PyTorch implementation for ADVI

Xuejiao Zhao 9 Dec 12, 2022
It is a Blender Tool which can convert the Object Data Attributes in face corner to the UVs or Vertex Color.

Blender_ObjectDataAttributesConvertTool It is a Blender Tool which can convert the Object Data Attributes in face corner to the UVs or Vertex Color. D

Takeshi Chō 2 Jan 8, 2022
Two predictive attributes (Speed and Angle) and one attribute target (Power)

Two predictive attributes (Speed and Angle) and one attribute target (Power). A container crane has the function of transporting containers from one point to another point. The difficulty of this task lies in the fact that the container is connected to the bridge crane by cables causing an opening angle while the container is being transported, interfering with the operation at high speeds due to oscillation that occurs at the end point, which could cause accidents.

Astitva Veer Garg 1 Jan 11, 2022
Pcos-prediction - Predicts the likelihood of Polycystic Ovary Syndrome based on patient attributes and symptoms
Pcos-prediction - Predicts the likelihood of Polycystic Ovary Syndrome based on patient attributes and symptoms

PCOS Prediction 🥼 Predicts the likelihood of Polycystic Ovary Syndrome based on

Samantha Van Seters 1 Jan 10, 2022
A very simple tool to rewrite parameters such as attributes and constants for OPs in ONNX models. Simple Attribute and Constant Modifier for ONNX.
A very simple tool to rewrite parameters such as attributes and constants for OPs in ONNX models. Simple Attribute and Constant Modifier for ONNX.

sam4onnx A very simple tool to rewrite parameters such as attributes and constants for OPs in ONNX models. Simple Attribute and Constant Modifier for

Katsuya Hyodo 6 May 15, 2022
Foreign exchange rates, Bitcoin price index and currency conversion using ratesapi.io

forex-python Forex Python is a Free Foreign exchange rates and currency conversion. Note: Install latest forex-python==1.1 to avoid RatesNotAvailableE

MicroPyramid 540 Jan 5, 2023
The Python Package Index
The Python Package Index

Warehouse Warehouse is the software that powers PyPI. See our development roadmap, documentation, and architectural overview. Getting Started You can

Python Packaging Authority 3.1k Jan 1, 2023
Get Air Quality Index for your city/country 😷
Get Air Quality Index for your city/country 😷

Air Quality Index CLI Get Air Quality index for your City. Installation $ pip install air-quality-cli Contents Air Quality Index CLI Installation Cont

Yankee 40 Oct 21, 2022
A Python media index

pyvideo https://pyvideo.org is simply an index of Python-related media records. The raw data being used here comes out of the pyvideo/data repo. Befor

pyvideo 235 Dec 24, 2022
Scan, index, and archive all of your paper documents
Scan, index, and archive all of your paper documents

[ en | de | el ] Important news about the future of this project It's been more than 5 years since I started this project on a whim as an effort to tr

Paperless 7.8k Jan 6, 2023
A Python media index

pyvideo https://pyvideo.org is simply an index of Python-related media records. The raw data being used here comes out of the pyvideo/data repo. Befor

pyvideo 235 Dec 24, 2022
Comments
  • Issue running on SIFT: ModuleNotFoundError: No module named 'construct'

    Issue running on SIFT: ModuleNotFoundError: No module named 'construct'

    When running INDXParser.py against both a single E01 and a series of split E01 files, I am presented with the following error:

    INDXRipper: error: invalid volume boot record

    All of the following command produce the same error Single E01:

    python3.9 ../tools/INDXRipper/INDXRipper.py /mnt/hgfs/testing/Disk1.E01 outfile

    Split E01, with offset (2048)

    python3.9 ../tools/INDXRipper/INDXRipper.py -o 2048 /mnt/hgfs/testing/Disk2-Collection/Disk2.E01 outfile

    Split E01, with calculated offset (2048x512)

    python3.9 ../tools/INDXRipper/INDXRipper.py -o 1048576 /mnt/hgfs/testing/Disk2-Collection/Disk2.E01 outfile
    help wanted 
    opened by ezaspy 8
  • construct.core.StreamError: Error in path (parsing)

    construct.core.StreamError: Error in path (parsing)

    I have followed the updated instructions for setting up a venv and have ran into the following error:

    $ sudo venv/bin/python tools/INDXRipper/INDXRipper.py -w csv -o 576716800 /mnt/i30_disk1.E01/ewf1 outfile
Traceback (most recent call last):
  File "/opt/elrond/elrond/tools/INDXRipper/INDXRipper.py", line 309, in <module>
    main()
  File "/opt/elrond/elrond/tools/INDXRipper/INDXRipper.py", line 300, in main
    vbr = get_boot_sector(raw_image, args.o * args.b)
  File "/opt/elrond/elrond/tools/INDXRipper/ntfs.py", line 160, in get_boot_sector
    return BOOT_SECTOR.parse_stream(raw_image)
  File "/opt/elrond/elrond/venv/lib/python3.9/site-packages/construct/core.py", line 300, in parse_stream
    return self._parsereport(stream, context, "(parsing)")
  File "/opt/elrond/elrond/venv/lib/python3.9/site-packages/construct/core.py", line 312, in _parsereport
    obj = self._parse(stream, context, path)
  File "/opt/elrond/elrond/venv/lib/python3.9/site-packages/construct/core.py", line 2120, in _parse
    subobj = sc._parsereport(stream, context, path)
  File "/opt/elrond/elrond/venv/lib/python3.9/site-packages/construct/core.py", line 312, in _parsereport
    obj = self._parse(stream, context, path)
  File "/opt/elrond/elrond/venv/lib/python3.9/site-packages/construct/core.py", line 4101, in _parse
    stream_read(stream, pad, path)
  File "/opt/elrond/elrond/venv/lib/python3.9/site-packages/construct/core.py", line 91, in stream_read
    raise StreamError("stream read less than specified amount, expected %d, found %d" % (length, len(data)), path=path)
construct.core.StreamError: Error in path (parsing)
stream read less than specified amount, expected 3, found 0

    I have two offsets for the disk:

    • 2048 (x512) = 1048576
    • 1126400 (x512) = 576716800

    And I can't not run it as sudo, as the mount point permissions for /mnt/i30_disk1/ewf1 cannot be altered:

    chmod: changing permissions of '/mnt/i30_disk1.E01': Function not implemented
chmod: changing permissions of '/mnt/i30_disk1.E01/ewf1': Function not implemented
    opened by ezaspy 2
Releases(v5.2.7)
Owner
Forensic Analyst
GitHub Repository
A small automated test structure using python to test *.cpp codes

Get Started Insert C++ Codes Add Test Code Run Test Samples Check Coverages Insert C++ Codes you can easily add c++ files in /inputs directory there i

Alireza Zahiri 2 Aug 03, 2022
Just for testing video streaming using pytgcalls.

tgvc-video-tests Just for testing video streaming using pytgcalls. Note: The features used in this repository is highly experimental and you might not

wrench 34 Dec 27, 2022
Automated Security Testing For REST API's

Astra REST API penetration testing is complex due to continuous changes in existing APIs and newly added APIs. Astra can be used by security engineers

Flipkart Incubator 2.1k Dec 31, 2022
Headless chrome/chromium automation library (unofficial port of puppeteer)

Pyppeteer Pyppeteer has moved to pyppeteer/pyppeteer Unofficial Python port of puppeteer JavaScript (headless) chrome/chromium browser automation libr

miyakogi 3.5k Dec 30, 2022
pytest plugin that let you automate actions and assertions with test metrics reporting executing plain YAML files

pytest-play pytest-play is a codeless, generic, pluggable and extensible automation tool, not necessarily test automation only, based on the fantastic

pytest-dev 67 Dec 01, 2022
User-interest mock backend server implemnted using flask restful, and SQLAlchemy ORM confiugred with sqlite

Flask_Restful_SQLAlchemy_server User-interest mock backend server implemnted using flask restful, and SQLAlchemy ORM confiugred with sqlite. Backend b

Austin Weigel 1 Nov 17, 2022
Python Projects - Few Python projects with Testing using Pytest

Python_Projects Few Python projects : Fast_API_Docker_PyTest- Just a simple auto

Tal Mogendorff 1 Jan 22, 2022
模仿 USTC CAS 的程序,用于开发校内网站应用的本地调试。

ustc-cas-mock 模仿 USTC CAS 的程序,用于开发校内网站应用阶段调试。 请勿在生产环境部署! 只测试了最常用的三个 CAS route: /login /serviceValidate(验证 CAS ticket) /logout 没有测试过 proxy ticket。(因为我

taoky 4 Jan 27, 2022
A library for generating fake data and populating database tables.

Knockoff Factory A library for generating mock data and creating database fixtures that can be used for unit testing. Table of content Installation Ch

Nike Inc. 30 Sep 23, 2022
PyBuster A directory busting tool for web application penetration tester, written in python

PyBuster A directory busting tool for web application penetration tester, written in python. Supports custom wordlist,recursive search. Screenshots Pr

Anukul Pandey 4 Jan 30, 2022
Show, Edit and Tell: A Framework for Editing Image Captions, CVPR 2020

Show, Edit and Tell: A Framework for Editing Image Captions | arXiv This contains the source code for Show, Edit and Tell: A Framework for Editing Ima

Fawaz Sammani 76 Nov 25, 2022
Load Testing ML Microservices for Robustness and Scalability

The demo is aimed at getting started with load testing a microservice before taking it to production. We use FastAPI microservice (to predict weather) and Locust to load test the service (locally or

Emmanuel Raj 13 Jul 05, 2022
Python script to automatically download from Zippyshare

Zippyshare downloader and Links Extractor Python script to automatically download from Zippyshare using Selenium package and Internet Download Manager

Daksh Khurana 2 Oct 31, 2022
자동 건강상태 자가진단 메크로 서버전용

Auto-Self-Diagnosis-for-server 자동 자가진단 메크로 서버전용 이 프로그램은 SaidBySolo님의 auto-self-diagnosis를 참고하여 제작하였습니다. 개인 사용 목적으로 제작하였기 때문에 추후 업데이트는 진행하지 않습니다. 의존성 G

JJooni 3 Dec 04, 2021
Data App Performance Tests

Data App Performance Tests My hypothesis is that The different architectures of

Marc Skov Madsen 6 Dec 14, 2022
Web testing library for Robot Framework

SeleniumLibrary Contents Introduction Keyword Documentation Installation Browser drivers Usage Extending SeleniumLibrary Community Versions History In

Robot Framework 1.2k Jan 03, 2023
MongoDB panel for the Flask Debug Toolbar

Flask Debug Toolbar MongoDB Panel Info: An extension panel for Rob Hudson's Django Debug Toolbar that adds MongoDB debugging information Author: Harry

Cenk Altı 4 Dec 11, 2019
A Simple Unit Test Matcher Library for Python 3

pychoir - Python Test Matchers for humans Super duper low cognitive overhead matching for Python developers reading or writing tests. Implemented in p

Antti Kajander 15 Sep 14, 2022
Automação de Processos (obtenção de informações com o Selenium), atualização de Planilha e Envio de E-mail.

Automação de Processo: Código para acompanhar o valor de algumas ações na B3. O código entra no Google Drive, puxa os valores das ações (pré estabelec

Hemili Beatriz 1 Jan 08, 2022
A library to make concurrent selenium tests that automatically download and setup webdrivers

AutoParaSelenium A library to make parallel selenium tests that automatically download and setup webdrivers Usage Installation pip install autoparasel

Ronak Badhe 8 Mar 13, 2022