harelsegev / indxripper Goto Github PK
View Code? Open in Web Editor NEWCarve file metadata from NTFS index ($I30) attributes
License: MIT License
indxripper's People
Contributors
Stargazers
Watchers
indxripper's Issues
Fix-up values are applied incorrectly for 4K sector hard drives
See this section from the libfsntfs documentation.
Add support for older NTFS versions
$INDEX_ALLOCATION attribute chains are not handled correctly
Extension records of $MFT are not handled
If MFT records in range 12 - 15 or 16 - 23 are used to expand the MFT, use all the extra $DATA attributes to find all of the MFT data.
No output if cluster size is 512 bytes
Happens if the MFT entry size is bigger than the cluster size
Issue running on SIFT: ModuleNotFoundError: No module named 'construct'
When running INDXParser.py against both a single E01 and a series of split E01 files, I am presented with the following error:
INDXRipper: error: invalid volume boot record
All of the following command produce the same error
Single E01:
python3.9 ../tools/INDXRipper/INDXRipper.py /mnt/hgfs/testing/Disk1.E01 outfile
Split E01, with offset (2048)
python3.9 ../tools/INDXRipper/INDXRipper.py -o 2048 /mnt/hgfs/testing/Disk2-Collection/Disk2.E01 outfile
Split E01, with calculated offset (2048x512)
python3.9 ../tools/INDXRipper/INDXRipper.py -o 1048576 /mnt/hgfs/testing/Disk2-Collection/Disk2.E01 outfile
$INDEX_ALLOCATION attributes in extension records are not handled if there is no base record
construct.core.StreamError: Error in path (parsing)
I have followed the updated instructions for setting up a venv and have ran into the following error:
$ sudo venv/bin/python tools/INDXRipper/INDXRipper.py -w csv -o 576716800 /mnt/i30_disk1.E01/ewf1 outfile
Traceback (most recent call last):
File "/opt/elrond/elrond/tools/INDXRipper/INDXRipper.py", line 309, in <module>
main()
File "/opt/elrond/elrond/tools/INDXRipper/INDXRipper.py", line 300, in main
vbr = get_boot_sector(raw_image, args.o * args.b)
File "/opt/elrond/elrond/tools/INDXRipper/ntfs.py", line 160, in get_boot_sector
return BOOT_SECTOR.parse_stream(raw_image)
File "/opt/elrond/elrond/venv/lib/python3.9/site-packages/construct/core.py", line 300, in parse_stream
return self._parsereport(stream, context, "(parsing)")
File "/opt/elrond/elrond/venv/lib/python3.9/site-packages/construct/core.py", line 312, in _parsereport
obj = self._parse(stream, context, path)
File "/opt/elrond/elrond/venv/lib/python3.9/site-packages/construct/core.py", line 2120, in _parse
subobj = sc._parsereport(stream, context, path)
File "/opt/elrond/elrond/venv/lib/python3.9/site-packages/construct/core.py", line 312, in _parsereport
obj = self._parse(stream, context, path)
File "/opt/elrond/elrond/venv/lib/python3.9/site-packages/construct/core.py", line 4101, in _parse
stream_read(stream, pad, path)
File "/opt/elrond/elrond/venv/lib/python3.9/site-packages/construct/core.py", line 91, in stream_read
raise StreamError("stream read less than specified amount, expected %d, found %d" % (length, len(data)), path=path)
construct.core.StreamError: Error in path (parsing)
stream read less than specified amount, expected 3, found 0
I have two offsets for the disk:
- 2048 (x512) = 1048576
- 1126400 (x512) = 576716800
And I can't not run it as sudo, as the mount point permissions for /mnt/i30_disk1/ewf1 cannot be altered:
chmod: changing permissions of '/mnt/i30_disk1.E01': Function not implemented
chmod: changing permissions of '/mnt/i30_disk1.E01/ewf1': Function not implemented
Running on VMDK / E01 images
Other than RAW images, what kind of images (E01/VMDK) are supported? Thanks!
Crashes if there is no $FILE_NAME attribute for a folder in any of its records
This can happen if the $FILE_NAME attribute is in an extension record, the file gets deleted and the extension record is overwritten
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.