DEV Community

Cover image for Quickly Search & Extract Files from Windows Disk Images
sumeshi_kun
sumeshi_kun

Posted on • Edited on

Quickly Search & Extract Files from Windows Disk Images

#python #security #windows #forensics

Overview

If you work in digital forensics, incident response, or malware analysis, you probably deal with disk images all the time.
And sooner or later, you’ll want to find specific files inside an image and extract them for analysis.

Sure, you can mount images with tools like FTK Imager or Arsenal Image Mounter and browse the filesystem manually.
But doing that for tens or hundreds of images? And repeating the same clicks over and over?
That’s exactly the kind of workflow that should be automated — so I built these tools.

https://github.com/sumeshi/ntfsdump
https://github.com/sumeshi/ntfsfind

These tools let you search and extract files, directories, and alternate data streams (ADS) directly from disk image files — without mounting them.

For example, you can search like this:

> ntfsfind.exe IMAGEFILE.raw ".*\.evtx"
/Windows/System32/winevt/Logs/Setup.evtx
/Windows/System32/winevt/Logs/Microsoft-Windows-All-User-Install-Agent%4Admin.evtx
/Logs/Windows PowerShell.evtx
/Logs/Microsoft-Windows-Winlogon%4Operational.evtx
/Logs/Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx
...
Enter fullscreen mode Exit fullscreen mode

And then pipe the results directly into another command to extract them:

> ntfsfind.exe IMAGEFILE.raw ".*\.evtx" | ntfsdump.exe IMAGEFILE.raw
Enter fullscreen mode Exit fullscreen mode

For more details, check out the README on GitHub.
Stars are always welcome ⭐

Usage

Precompiled binaries are available on GitHub Releases:

https://github.com/sumeshi/ntfsfind/releases
https://github.com/sumeshi/ntfsdump/releases

The following command searches for .evtx files inside a dd (raw) image file called ntfs.raw.
The second argument is a regex query. Note that file paths must use / as the separator — this is consistent across both Linux and Windows builds.

> ntfsfind.exe .\ntfs.raw ".*\.evtx"
Enter fullscreen mode Exit fullscreen mode

To extract a specific file from the root of the image:

> ntfsdump.exe .\ntfs.raw "/hoge.txt"
Enter fullscreen mode Exit fullscreen mode

You can also pipe search results into ntfsdump to extract many files in one go:

> ntfsfind.exe IMAGEFILE.raw ".*\.evtx" | ntfsdump.exe IMAGEFILE.raw
Enter fullscreen mode Exit fullscreen mode

Since ntfsdump simply reads paths from standard input, you’re free to redirect, filter, or preprocess the list however you like.

Installation

Precompiled Binaries

Prebuilt binaries for Windows and Linux (Ubuntu) are available on GitHub Releases.
Just download the appropriate file and run it.

https://github.com/sumeshi/ntfsdump/releases
https://github.com/sumeshi/ntfsfind/releases

Install via PyPI

Python 3.13 or newer is supported.

$ pip install ntfsdump ntfsfind
Enter fullscreen mode Exit fullscreen mode

https://pypi.org/project/ntfsdump/
https://pypi.org/project/ntfsfind/

Final Thoughts

These tools follow a “small, sharp tools” philosophy:
simple, minimal, and easy to carry around in your toolkit.
Ideally, you just keep a single binary handy and use it whenever you need quick, scriptable access to NTFS disk images.

If they help streamline your forensic workflow even a little, I’ll be happy 🙂

Original Post(Japanese): https://zenn.dev/sum3sh1/articles/file-extraction-from-ntfs-image-files

Top comments (0)