Last active
October 22, 2018 12:25
-
-
Save williballenthin/4494779 to your computer and use it in GitHub Desktop.
Extracts all INDX attributes from an NTFS image using Sleuthkit utilities
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Extracts all INDX attributes from an NTFS image using Sleuthkit utilities | |
# Willi Ballenthin <willi.ballenthin@gmail.com>, 2013 | |
# Updates provided by Stefan Kelm, 2013 | |
usage() | |
{ | |
cat <<EOF | |
Usage: $0 offset /path/to/image/ /path/to/output/directory/ | |
EOF | |
} | |
if [[ $# -ne 3 ]] ; then | |
echo "Error: Incorrect number of arguments provided."; | |
usage; | |
exit 1; | |
fi | |
OFFSET="$1"; | |
IMG="$2"; | |
OUTDIR="$3"; | |
ils -o "$OFFSET" -e "$IMG" | grep "^[0-9]" | while read -r ils_line; do | |
INUM=$(echo "$ils_line" | cut -d "|" -f 1); | |
echo "inode $INUM"; | |
ISTAT_OUT=$(istat -o "$OFFSET" "$IMG" "$INUM"); | |
if echo "$ISTAT_OUT" | grep --quiet "Type: \$INDEX_ROOT"; then | |
echo "$ISTAT_OUT" | grep "Type: \$INDEX_ROOT" | while read -r root_line; do | |
ATTR=$(echo "$root_line" | cut -d "(" -f 2 | cut -d ")" -f 1); | |
echo " INDX_ROOT $INUM-$ATTR" | |
icat -o "$OFFSET" "$IMG" "$INUM-$ATTR" > "$OUTDIR"/"$INUM".INDX_ROOT; | |
done | |
fi | |
if echo "$ISTAT_OUT" | grep --quiet "Type: \$INDEX_ALLOCATION"; then | |
echo "$ISTAT_OUT" | grep "Type: \$INDEX_ALLOCATION" | while read -r alloc_line; do | |
ATTR=$(echo "$alloc_line" | cut -d "(" -f 2 | cut -d ")" -f 1); | |
echo " INDX_ALLOCATION $INUM-$ATTR" | |
icat -o "$OFFSET" "$IMG" "$INUM-$ATTR" > "$OUTDIR"/"$INUM".INDX_ALLOCATION; | |
done | |
fi | |
done |
Sample output:
projects/INDX - [master●] » ls tmp_out -1
11.INDX_ROOT
24.INDX_ROOT
25.INDX_ROOT
26.INDX_ROOT
27.INDX_ROOT
29.INDX_ROOT
31.INDX_ALLOCATION
31.INDX_ROOT
32.INDX_ROOT
37.INDX_ROOT
40.INDX_ROOT
41.INDX_ROOT
43.INDX_ROOT
46.INDX_ROOT
47.INDX_ROOT
49.INDX_ALLOCATION
49.INDX_ROOT
5.INDX_ALLOCATION
5.INDX_ROOT
64.INDX_ALLOCATION
64.INDX_ROOT
65.INDX_ROOT
66.INDX_ROOT
67.INDX_ALLOCATION
67.INDX_ROOT
68.INDX_ROOT
70.INDX_ROOT
73.INDX_ROOT
75.INDX_ROOT
9.INDX_ALLOCATION
9.INDX_ROOT
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Sample usage: