An efficient tool for extracting files, directories, and alternate data streams directly from NTFS image files.
ntfsdump allows digital forensic investigators and incident responders to seamlessly extract records from disk images without needing to mount them. By leveraging powerful backend libraries like pytsk3 and libyal, it supports reading from standard disk image formats (RAW, E01, VHD(x), VMDK) and reliably dumps NTFS structures.
- Direct Extraction: Avoid mounting overhead by extracting files directly from NTFS partitions.
- Support Multiple Formats: Read from
.raw,.e01,.vhd,.vhdx, and.vmdk. - Recursive Directory Dumping: Extract entire folders seamlessly.
- Alternate Data Stream (ADS): Supports extracting hidden alternate data streams.
- Intelligent Path Reconstruction: When outputting single files embedded deep in directories with an absolute path (e.g.
\Windows\System32...),ntfsdumpreconstructs the directory structure in the output destination folder to keep artifacts perfectly organized. - Glob & Wildcard Queries: Basic support for extracting matched artifacts (e.g.
.*). - Use as a CLI or Python Module: Highly flexible to integrate into other automated tools.
- Python: Compatible with Python 3.13+.
- Precompiled Binaries: Available for both Windows and Linux in the GitHub releases section.
# From PyPI
pip install ntfsdump
# Form GitHub Releases (Precompiled Binaries)
chmod +x ./ntfsdump
./ntfsdump --helpThe image file must meet the following conditions:
- Formats:
raw,e01,vhd,vhdx,vmdk. - File System:
NTFS. - Partition Table:
GPT(MBR will usually be auto-detected, but GPT is officially supported).
You can pass arguments directly into the CLI. Output paths can be either file paths or directory paths.
ntfsdump [OPTIONS] <IMAGE> [PATHS...]Options:
--help,-h: Show help message.--version,-V: Display program version.--quiet,-q: Suppress stdout output.--no-log: Prevent log file creation.--flat: Extract all artifacts purely into a single folder without reconstructing directories.--volume,-n: Target specific NTFS volume number (default: auto-detects main OS volume).--format,-f: Image file format (default:raw). Options:raw,e01,vhd,vhdx,vmdk.--output,-o: Directory or file to save exported outputs.
Dump a single file:
ntfsdump -o ./dump ./path/to/your/image.raw /$MFTDump an entire directory recursively:
ntfsdump -o ./dump ./path/to/your/image.raw /Windows/System32/winevt/LogsExtracting from split E01 images (Provide the starting segment .E01):
ntfsdump --format=e01 -o ./dump ./path/to/your/image.E01 /Windows/System32/winevt/LogsUsing with ntfsfind over standard input (pipe):
ntfsfind '.*\.evtx' ./image.raw | ntfsdump -o ./dump ./image.rawNote: Any absolute path (starting with / or \) passed over stdin via tools like ntfsfind will automatically be cleaned, and the folder hierarchy will be rebuilt faithfully inside your local output directory (./dump/Windows/System32/winevt/Logs/System.evtx).
You can incorporate ntfsdump logic into your own scripts.
from ntfsdump import ntfsdump
ntfsdump(
image='./path/to/your/image.raw',
paths=['/Windows/System32/winevt/Logs'],
output='./dump',
volume=2,
format='raw'
)ntfsdump utilizes UNIX-like path separators (/) for queries. Paths are case-sensitive relative to the target volume structure.
- File:
/$MFT-> extracts$MFT - ADS:
/$Extend/$UsnJrnl:$J-> extracts the$JADS file from$UsnJrnl. - Directory:
/Windows/System32/winevt/Logs-> extracts all event logs recursively. - Prefix Expansion:
/Windows/Prefetch/.*-> extracts all files located in thePrefetchdir.
By default, an execution log (e.g. ntfsdump_20240101_153205_1234.log) is generated in the current directory to safely record which files were successfully dumped or failed.
To disable logging entirely, append the --no-log flag.
We welcome reports, issues, and feature requests. Please do so on the GitHub repository. 🍣 🍣 🍣
Released under the LGPLv3+ License.
Powered by: