williballenthin/INDXParse williballenthin/INDXParse

  • Stars
    star
    210
  • Rank 187,585 (Top 4 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created about 13 years ago
  • Updated about 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
williballenthin/INDXParse
github

williballenthin

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Tool suite for inspecting NTFS artifacts. 
INDXParse
===============

Introduction
------------
INDX files are features of the Windows NTFS file system. They can 
be thought of as nodes in a B+ tree, where each directory has an 
INDX file. The INDX files contain records for each file within a 
directory. Records contain at least the following information:

 - Filename
 - Physical size of file
 - Logical size of file
 - Modified timestamp
 - Accessed timestamp
 - Changed timestamp
 - Created timestamp

INDX files are interesting to forensic investigators for a number 
of reasons. First, an investigator may use INDX files as a source 
of timestamps to develop a timeline of activity. Secondly, these 
files have significant slack spaces. With careful parsing, an 
investigator may recover old or deleted records from within these
data chunks. In other words, the investigator may be able to show 
a file existed even if it has been deleted.

INDX files are not usually accessible from within the Windows 
operating system. Forensic utilties such as the FTK Imager may 
allow a user to extract the file by accessing the raw hard disk. 
FTK names the INDX file "$I30". Tools like the Sleuthkit can 
extract the directory entries from a forensic image. INDXParse 
will not work against a live system.

Previous work & tools
---------------------
I'd like to first mention John McCash, who mentioned he was 
unaware of any non-EnCase tools that parse INDX files in a SANS 
blog post. That got my mental gears turning.

I started out with a document called NTFS Forensics: A 
Programmers View of Raw Filesystem Data Extraction by Jason 
Medeiros. Unfortunately, while this document describes parsing 
INDX files in detail, a number of steps in the explanation were 
wrong.

The second resource I used, and used extensively, was Forensic 
computing by A. J. Sammes, Tony Sammes, and Brian Jenkinson. I 
found the relevent section was available for free via Google 
books. This was an excellent document, and I now plan on buying 
the full book.

42 LLC provides the INDX Extractor Enpack as a compiled EnScript 
for EnCase. This was not useful to me, because I was unable to 
get to the logic of the script.

The Sleuthkit has INDX structures defined in the tsk_ntfs.h 
header files. I didn't do much digging in the code to see if 
TSK does any parsing of the INDX files (I suspect it does), 
but I did use it to verify the file structure.

Usage
-----
INDXParse.py accepts a number of command line parameters and 
switches that determine what data is parsed and output format. 
INDXParse.py currently supports both CSV (default) and 
Bodyfile (v3) output formats. The CSV schema is as follows:

  - Filename
  - Physical size of file
  - Logical size of file
  - Modified timestamp
  - Accessed timestamp
  - Changed timestamp
  - Created timestamp

INDXParse.py will parse INDX structure slack space if provided 
the '-d' flag. Entries identified in the slack space will be 
tagged with a string of the form "(slack at ###)" where ### is 
the hex offset to the slack entry. Note that slack entries will 
have separate timestamps from the live entries, and could be 
used to show the state of the system at a point in time.

If the program encounters an error while parsing the filename, 
the filename field will contain a best guess, and the comment 
"(error decoding filename)". If the program encounters an error 
while parsing timestamps, a timestamp corresponding to the UNIX 
epoch will be printed instead.

The full command line help is included here:

INDX $ python INDXParse.py -h
usage: INDXParse.py [-h] [-c | -b] [-d] filename

Parse NTFS INDX files.

positional arguments:
  filename    Input INDX file path

optional arguments:
  -h, --help  show this help message and exit
  -c          Output CSV
  -b          Output Bodyfile
  -d          Find entries in slack space

INDXTemplate.bt is a template file for the useful 010 Editor.
Use it as you would any other template by applying it to INDX files.

TODO
----
  - Brainstorm more features ;-)

License
-------
INDXParse is released under the Apache 2.0 license.


Contributors
------------

  - Jerome Leseinne for identifying a bug in the is_valid constraint and null blocks

More Repositories

1

python-evtx

Pure Python parser for Windows Event Log files (.evtx)
Python
703
star
2

python-idb

Pure Python parser and analyzer for IDA Pro database files (.idb).
Python
452
star
3

python-registry

Pure Python parser for Windows Registry hives.
Python
427
star
4

EVTXtract

EVTXtract recovers and reconstructs fragments of EVTX log files from raw binary data, including unallocated space and memory images.
Python
176
star
5

shellbags

Cross-platform, open-source shellbag parser
Python
148
star
6

process-forest

Reconstruct process trees from event logs
Python
144
star
7

idawilli

IDA Pro resources, scripts, and configurations
Python
112
star
8

python-sdb

Pure Python parser for Application Compatibility Shim Databases (.sdb files)
Python
104
star
9

lancelot

intel x86(-64) code analysis library that reconstructs control flow
Rust
94
star
10

python-ntfs

Open source Python library for NTFS analysis
Python
79
star
11

ida-netnode

Humane API for storing and accessing persistent data in IDA Pro databases
Python
74
star
12

govt

Virustotal API for Go
Go
64
star
13

python-dotnet-binaryformat

Pure Python parser for data encoded by .NET's BinaryFormatter
Python
46
star
14

python-evt

Pure Python parser for classic Windows Event Log files (.evt)
Python
46
star
15

go-reversing

Resources for reverse engineering Go binaries
Python
41
star
16

python-vb

analysis of visual basic code
Python
39
star
17

LfLe

Recover event log entries from an image by heurisitically looking for record structures.
Python
26
star
18

viv-utils

Utilities for working with vivisect
Python
20
star
19

ida-settings

Fetch and set configuration values from IDAPython scripts
Python
20
star
20

wevt_template

extract and parse WEVT_TEMPLATEs from PE files
Rust
17
star
21

Autopsy-WindowsRegistryContentViewer

no longer maintained
Java
16
star
22

reversing-clj

messing around writing reversing tools in clojure
JavaScript
14
star
23

Autopsy-WindowsRegistryIngestModule

no longer maintained
Java
13
star
24

siglib

function identification signatures
Python
10
star
25

python-pyqt5-hexview

PyQt5 hex viewer widget.
Python
10
star
26

ucutils

Convenience routines for working with the Unicorn emulator in Python
Python
9
star
27

python-pyqt5-vstructui

PyQt5 vstruct hex viewer widget.
Python
9
star
28

Rejistry

Pure Java parser for Windows Registry hive files.
Java
8
star
29

vivisect-vstruct

standalone copy of vstruct from vivisect
Python
5
star
30

dotfiles

Local configuration files for various Linux tools
Shell
5
star
31

williballenthin.com

Source for my personal website
JavaScript
2
star
32

zydis-wasm

example project with zydis targetting wasm
Rust
2
star
33

cfg-ui

experiments in user interfaces around control flow graphs
JavaScript
2
star
34

highlighter-minor-mode

An Emacs minor mode for log analysis.
Emacs Lisp
1
star