Skip to content

Instantly share code, notes, and snippets.

@williballenthin

williballenthin/extract_all_i30.sh

Last active October 22, 2018 12:25
Show Gist options
  • Star 4 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save williballenthin/4494779 to your computer and use it in GitHub Desktop.
Save williballenthin/4494779 to your computer and use it in GitHub Desktop.
Download ZIP
Extracts all INDX attributes from an NTFS image using Sleuthkit utilities
Raw
extract_all_i30.sh
#!/bin/bash
# Extracts all INDX attributes from an NTFS image using Sleuthkit utilities
# Willi Ballenthin <willi.ballenthin@gmail.com>, 2013
# Updates provided by Stefan Kelm, 2013
usage()
{
cat <<EOF
Usage: $0 offset /path/to/image/ /path/to/output/directory/
EOF
}
if [[ $# -ne 3 ]] ; then
echo "Error: Incorrect number of arguments provided.";
usage;
exit 1;
fi
OFFSET="$1";
IMG="$2";
OUTDIR="$3";
ils -o "$OFFSET" -e "$IMG" | grep "^[0-9]" | while read -r ils_line; do
INUM=$(echo "$ils_line" | cut -d "|" -f 1);
echo "inode $INUM";
ISTAT_OUT=$(istat -o "$OFFSET" "$IMG" "$INUM");
if echo "$ISTAT_OUT" | grep --quiet "Type: \$INDEX_ROOT"; then
echo "$ISTAT_OUT" | grep "Type: \$INDEX_ROOT" | while read -r root_line; do
ATTR=$(echo "$root_line" | cut -d "(" -f 2 | cut -d ")" -f 1);
echo " INDX_ROOT $INUM-$ATTR"
icat -o "$OFFSET" "$IMG" "$INUM-$ATTR" > "$OUTDIR"/"$INUM".INDX_ROOT;
done
fi
if echo "$ISTAT_OUT" | grep --quiet "Type: \$INDEX_ALLOCATION"; then
echo "$ISTAT_OUT" | grep "Type: \$INDEX_ALLOCATION" | while read -r alloc_line; do
ATTR=$(echo "$alloc_line" | cut -d "(" -f 2 | cut -d ")" -f 1);
echo " INDX_ALLOCATION $INUM-$ATTR"
icat -o "$OFFSET" "$IMG" "$INUM-$ATTR" > "$OUTDIR"/"$INUM".INDX_ALLOCATION;
done
fi
done
@williballenthin
Copy link
Author

Sample usage:

projects/INDX - [master●] » bash ./extract_all.sh 32256 /dev/sdc1 ./tmp_out/
inode 0
inode 1
inode 2
inode 3
inode 4
inode 5
  INDX_ROOT 5-144-6
  INDX_ALLOCATION 5-160-8
inode 6
inode 7
inode 8
inode 9
  INDX_ROOT 9-144-11
  INDX_ROOT 9-144-14
  INDX_ALLOCATION 9-160-9
  INDX_ALLOCATION 9-160-12
inode 10
inode 11
  INDX_ROOT 11-144-4

@williballenthin
Copy link
Author

Sample output:

projects/INDX - [master●] » ls tmp_out -1 
11.INDX_ROOT
24.INDX_ROOT
25.INDX_ROOT
26.INDX_ROOT
27.INDX_ROOT
29.INDX_ROOT
31.INDX_ALLOCATION
31.INDX_ROOT
32.INDX_ROOT
37.INDX_ROOT
40.INDX_ROOT
41.INDX_ROOT
43.INDX_ROOT
46.INDX_ROOT
47.INDX_ROOT
49.INDX_ALLOCATION
49.INDX_ROOT
5.INDX_ALLOCATION
5.INDX_ROOT
64.INDX_ALLOCATION
64.INDX_ROOT
65.INDX_ROOT
66.INDX_ROOT
67.INDX_ALLOCATION
67.INDX_ROOT
68.INDX_ROOT
70.INDX_ROOT
73.INDX_ROOT
75.INDX_ROOT
9.INDX_ALLOCATION
9.INDX_ROOT

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment