msuhanov / dfir_ntfs Goto Github PK
View Code? Open in Web Editor NEWAn NTFS/FAT parser for digital forensics & incident response
License: GNU General Public License v3.0
An NTFS/FAT parser for digital forensics & incident response
License: GNU General Public License v3.0
This small MFT when it get parsed using the script ntfs_parser. It produces an CSV with some records without Path name.
Records are : 3377699720527884 - 3659174697238541- 3940649673949198 - 4222124650659855
I'm not sure if it is anomaly, but I am sharing it any way for testing purpose.
hi,
I followed the instructions with pip
but I get an error :
# pip install https://github.com/msuhanov/dfir_ntfs/archive/1.1.0.tar.gz
Collecting https://github.com/msuhanov/dfir_ntfs/archive/1.1.0.tar.gz
Using cached https://github.com/msuhanov/dfir_ntfs/archive/1.1.0.tar.gz
ERROR: Exception:
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/pip/_internal/cli/base_command.py", line 223, in _main
status = self.run(options, args)
File "/usr/lib/python3.9/site-packages/pip/_internal/cli/req_command.py", line 180, in wrapper
return func(self, options, args)
File "/usr/lib/python3.9/site-packages/pip/_internal/commands/install.py", line 320, in run
requirement_set = resolver.resolve(
File "/usr/lib/python3.9/site-packages/pip/_internal/resolution/resolvelib/resolver.py", line 121, in resolve
self._result = resolver.resolve(
File "/usr/lib/python3.9/site-packages/resolvelib/resolvers.py", line 454, in resolve
state = resolution.resolve(requirements, max_rounds=max_rounds)
File "/usr/lib/python3.9/site-packages/resolvelib/resolvers.py", line 319, in resolve
name, crit = self._merge_into_criterion(r, parent=None)
File "/usr/lib/python3.9/site-packages/resolvelib/resolvers.py", line 176, in _merge_into_criterion
crit = Criterion.from_requirement(self._p, requirement, parent)
File "/usr/lib/python3.9/site-packages/resolvelib/resolvers.py", line 80, in from_requirement
cands = build_iter_view(matches)
File "/usr/lib/python3.9/site-packages/resolvelib/structs.py", line 148, in build_iter_view
matches = list(matches)
File "/usr/lib/python3.9/site-packages/pip/_internal/resolution/resolvelib/factory.py", line 285, in <genexpr>
if constraint.is_satisfied_by(c)
File "/usr/lib/python3.9/site-packages/pip/_internal/resolution/resolvelib/base.py", line 66, in is_satisfied_by
return self.specifier.contains(candidate.version, prereleases=True)
File "/usr/lib/python3.9/site-packages/packaging/specifiers.py", line 790, in contains
item = parse(item)
File "/usr/lib/python3.9/site-packages/packaging/version.py", line 57, in parse
return Version(version)
File "/usr/lib/python3.9/site-packages/packaging/version.py", line 296, in __init__
match = self._regex.search(version)
TypeError: expected string or bytes-like object
on the other hand, the installation with python setup.py install
works perfectly :
# python setup.py install
running install
/usr/lib/python3.9/site-packages/setuptools/command/install.py:34: SetuptoolsDeprecationWarning: setup.py install is deprecated. Use build and pip and other standards-based tools.
warnings.warn(
/usr/lib/python3.9/site-packages/setuptools/command/easy_install.py:156: EasyInstallDeprecationWarning: easy_install command is deprecated. Use build and pip and other standards-based tools.
warnings.warn(
running bdist_egg
running egg_info
writing dfir_ntfs.egg-info/PKG-INFO
writing dependency_links to dfir_ntfs.egg-info/dependency_links.txt
writing requirements to dfir_ntfs.egg-info/requires.txt
writing top-level names to dfir_ntfs.egg-info/top_level.txt
reading manifest file 'dfir_ntfs.egg-info/SOURCES.txt'
writing manifest file 'dfir_ntfs.egg-info/SOURCES.txt'
installing library code to build/bdist.linux-x86_64/egg
running install_lib
running build_py
creating build/bdist.linux-x86_64/egg
creating build/bdist.linux-x86_64/egg/dfir_ntfs
creating build/bdist.linux-x86_64/egg/dfir_ntfs/addons
copying build/lib/dfir_ntfs/addons/FAT.py -> build/bdist.linux-x86_64/egg/dfir_ntfs/addons
copying build/lib/dfir_ntfs/addons/__init__.py -> build/bdist.linux-x86_64/egg/dfir_ntfs/addons
copying build/lib/dfir_ntfs/Attributes.py -> build/bdist.linux-x86_64/egg/dfir_ntfs
copying build/lib/dfir_ntfs/BootSector.py -> build/bdist.linux-x86_64/egg/dfir_ntfs
copying build/lib/dfir_ntfs/LogFile.py -> build/bdist.linux-x86_64/egg/dfir_ntfs
copying build/lib/dfir_ntfs/MFT.py -> build/bdist.linux-x86_64/egg/dfir_ntfs
copying build/lib/dfir_ntfs/MoveTable.py -> build/bdist.linux-x86_64/egg/dfir_ntfs
copying build/lib/dfir_ntfs/PartitionTable.py -> build/bdist.linux-x86_64/egg/dfir_ntfs
copying build/lib/dfir_ntfs/ShadowCopy.py -> build/bdist.linux-x86_64/egg/dfir_ntfs
copying build/lib/dfir_ntfs/USN.py -> build/bdist.linux-x86_64/egg/dfir_ntfs
copying build/lib/dfir_ntfs/WSL.py -> build/bdist.linux-x86_64/egg/dfir_ntfs
copying build/lib/dfir_ntfs/__init__.py -> build/bdist.linux-x86_64/egg/dfir_ntfs
byte-compiling build/bdist.linux-x86_64/egg/dfir_ntfs/addons/FAT.py to FAT.cpython-39.pyc
byte-compiling build/bdist.linux-x86_64/egg/dfir_ntfs/addons/__init__.py to __init__.cpython-39.pyc
byte-compiling build/bdist.linux-x86_64/egg/dfir_ntfs/Attributes.py to Attributes.cpython-39.pyc
byte-compiling build/bdist.linux-x86_64/egg/dfir_ntfs/BootSector.py to BootSector.cpython-39.pyc
byte-compiling build/bdist.linux-x86_64/egg/dfir_ntfs/LogFile.py to LogFile.cpython-39.pyc
byte-compiling build/bdist.linux-x86_64/egg/dfir_ntfs/MFT.py to MFT.cpython-39.pyc
byte-compiling build/bdist.linux-x86_64/egg/dfir_ntfs/MoveTable.py to MoveTable.cpython-39.pyc
byte-compiling build/bdist.linux-x86_64/egg/dfir_ntfs/PartitionTable.py to PartitionTable.cpython-39.pyc
byte-compiling build/bdist.linux-x86_64/egg/dfir_ntfs/ShadowCopy.py to ShadowCopy.cpython-39.pyc
byte-compiling build/bdist.linux-x86_64/egg/dfir_ntfs/USN.py to USN.cpython-39.pyc
byte-compiling build/bdist.linux-x86_64/egg/dfir_ntfs/WSL.py to WSL.cpython-39.pyc
byte-compiling build/bdist.linux-x86_64/egg/dfir_ntfs/__init__.py to __init__.cpython-39.pyc
creating build/bdist.linux-x86_64/egg/EGG-INFO
installing scripts to build/bdist.linux-x86_64/egg/EGG-INFO/scripts
running install_scripts
running build_scripts
creating build/bdist.linux-x86_64/egg/EGG-INFO/scripts
copying build/scripts-3.9/fat_parser -> build/bdist.linux-x86_64/egg/EGG-INFO/scripts
copying build/scripts-3.9/vsc_mount -> build/bdist.linux-x86_64/egg/EGG-INFO/scripts
copying build/scripts-3.9/ntfs_parser -> build/bdist.linux-x86_64/egg/EGG-INFO/scripts
changing mode of build/bdist.linux-x86_64/egg/EGG-INFO/scripts/fat_parser to 755
changing mode of build/bdist.linux-x86_64/egg/EGG-INFO/scripts/vsc_mount to 755
changing mode of build/bdist.linux-x86_64/egg/EGG-INFO/scripts/ntfs_parser to 755
copying dfir_ntfs.egg-info/PKG-INFO -> build/bdist.linux-x86_64/egg/EGG-INFO
copying dfir_ntfs.egg-info/SOURCES.txt -> build/bdist.linux-x86_64/egg/EGG-INFO
copying dfir_ntfs.egg-info/dependency_links.txt -> build/bdist.linux-x86_64/egg/EGG-INFO
copying dfir_ntfs.egg-info/requires.txt -> build/bdist.linux-x86_64/egg/EGG-INFO
copying dfir_ntfs.egg-info/top_level.txt -> build/bdist.linux-x86_64/egg/EGG-INFO
zip_safe flag not set; analyzing archive contents...
creating 'dist/dfir_ntfs-1.1.0-py3.9.egg' and adding 'build/bdist.linux-x86_64/egg' to it
removing 'build/bdist.linux-x86_64/egg' (and everything under it)
Processing dfir_ntfs-1.1.0-py3.9.egg
Removing /usr/lib/python3.9/site-packages/dfir_ntfs-1.1.0-py3.9.egg
Copying dfir_ntfs-1.1.0-py3.9.egg to /usr/lib/python3.9/site-packages
dfir-ntfs 1.1.0 is already the active version in easy-install.pth
Installing fat_parser script to /usr/bin
Installing ntfs_parser script to /usr/bin
Installing vsc_mount script to /usr/bin
Installed /usr/lib/python3.9/site-packages/dfir_ntfs-1.1.0-py3.9.egg
Processing dependencies for dfir-ntfs==1.1.0
Finished processing dependencies for dfir-ntfs==1.1.0
regards, lacsaP.
Just a small question, performing ntfs_parser --all-mft <input file (raw image)> <volume offset (in bytes)> <output file (CSV)>
will produce a single CSV file of a merged $MFT from the main volume and the different VSS ?
Project states it is GPL but license notices are missing from source files
See https://www.gnu.org/licenses/gpl-howto.en.html on how to use the GPL
E.g. the start of https://github.com/msuhanov/dfir_ntfs/blob/master/ntfs_parser should contain:
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
vsc_mount requires llfuse, which is not stated in setup.py
Suggest adding: install_requires=['llfuse', ]
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.