This package implements multiples libraries and tools to parse, analyze and extract informations from disk and main partition for the live system or a full disk file.
- Pure python package
- Running on live Windows system
- Analyze MBR (Master Boot Record) and GPT (GUID Partition Table)
- List partitions
- Analyze VBR (Volume Boot Record) for NTFS partition (New Technology File System)
- Analyze MFT file and attribute (Master File Table)
- Extract MFT file
- Analyze MFT
- Extract MFT Entries
- Generate file full from path from MFT
- Extract file content from NTFS partition
- Analyze FAT32
- Extract file content from FAT32 partition
- Analyze ExFAT Boot Sector
- Repair MBR for non bootable disk and MFT/ExFAT partitions (using disk carving)
This package require:
- python3
- python3 Standard Library
python3 -m pip install DiskAnalyzergit clone "https://github.com/mauricelambert/DiskAnalyzer.git"
cd "DiskAnalyzer"
python3 -m pip install .wget https://github.com/mauricelambert/DiskAnalyzer/archive/refs/heads/main.zip
unzip main.zip
cd DiskAnalyzer-main
python3 -m pip install .curl -O https://github.com/mauricelambert/DiskAnalyzer/archive/refs/heads/main.zip
unzip main.zip
cd DiskAnalyzer-main
python3 -m pip install .DiskAnalyzer # Using CLI package executable
python3 -m DiskAnalyzer # Using python module
python3 DiskAnalyzer.pyz # Using python executable
DiskAnalyzer.exe # Using python Windows executable
NtfsAnalyzer # Using CLI package executable
python3 -m NtfsAnalyzer # Using python module
python3 NtfsAnalyzer.pyz # Using python executable
NtfsAnalyzer.exe # Using python Windows executable
MftAnalyzer # Using CLI package executable
python3 -m MftAnalyzer # Using python module
python3 MftAnalyzer.pyz # Using python executable
MftAnalyzer.exe # Using python Windows executable
Fat32Analyzer # Using CLI package executable
python3 -m Fat32Analyzer # Using python module
python3 Fat32Analyzer.pyz # Using python executable
Fat32Analyzer.exe # Using python Windows executable
MbrRepair # Using CLI package executable
python3 -m MbrRepair # Using python module
python3 MbrRepair.pyz # Using python executable
MbrRepair.exe # Using python Windows executable
ExFatAnalyzer # Using CLI package executable
python3 -m ExFatAnalyzer # Using python module
python3 ExFatAnalyzer.pyz # Using python executable
ExFatAnalyzer.exe # Using python Windows executable
# Fat32Analyzer have it's own argument parser
Fat32Analyzer /path/to/fat32.img
Fat32Analyzer /path/to/fat32.img -v # verbose
# Other commands use the same argument parser:
# (only one optionale argument: filepath, defaulft: main disk file)
MbrRepair # main disk
MbrRepair /path/to/disk
DiskAnalyzer # main disk
DiskAnalyzer /path/to/disk
NtfsAnalyzer # main disk
NtfsAnalyzer /path/to/disk
MftAnalyzer # main disk
MftAnalyzer /path/to/disk
ExFatAnalyzer # main disk
ExFatAnalyzer /path/to/diskfrom DiskAnalyzer import *
print(disk_parsing(file_path="/path/to/disk").to_partition())
file, vbr, ntfs_offset = ntfs_parse(file_path="/path/to/disk")
(
file,
mft_entry,
mft_entry_raw_data,
mft_entry_offset,
mft_entry_size,
ntfs_offset,
cluster_size,
) = parse_mft(file_path=filename)
file_extract(file, mft_entry, "$MFT", mft_entry_raw_data, ntfs_offset)
with open(
"MftEntries.csv", newline='', encoding="utf-8" # NOTE: MftEntries.csv was generated by running DiskAnalyzer from the command line
) as entries, open(
"FullPath.csv", newline='', encoding="utf-8" # NOTE: FullPath.csv was generated by running DiskAnalyzer from the command line
) as full_path, open("SAM", 'wb') as sam, open("SYSTEM", 'wb') as system:
file_extract_from_csv(
r'\\.\C:\.\Windows\System32\config\SAM', sam, entries, full_path, file
)
file_extract_from_csv(
r'\\.\C:\.\Windows\System32\config\SYSTEM', system, entries, full_path, file
)
file.close()
with open("MftEntries.csv", "w", newline="", encoding="utf-8") as entries_file, open("$MFT", "rb") as mft, open("FullPath.csv", "w", newline="", encoding="utf-8") as fullpath_file:
entries_writer = writer(entries_file, quoting=QUOTE_ALL)
fullpath_writer = writer(fullpath_file, quoting=QUOTE_ALL)
for mft_entry, data_positions in extracted_mft_analysis(mft, entries_writer, fullpath_writer):
pass>>> from DiskAnalyzer.MftAnalyzer import parse_extracted_mft, get_data_positions, save_attribute, resolve_parents, file_names
>>> from csv import writer, QUOTE_ALL
>>> filename = "$MFT"
>>> with open("MftEntries.csv", "w", newline="", encoding="utf-8") as csv_file, open(filename, "rb") as mft:
... csv_writer = writer(csv_file, quoting=QUOTE_ALL)
... for mft_entry in parse_extracted_mft(mft):
... data_positions = []
... for offset, size, resident in get_data_positions(mft_entry, 0, 0):
... data_positions.append((offset, size, "resident" if resident else "non-resident"))
... save_attribute(csv_writer, mft_entry, mft.tell(), data_positions)
>>> with open("FullPath.csv", "w", newline="", encoding="utf-8") as csv_file:
... csv_writer = writer(csv_file, quoting=QUOTE_ALL)
... for record_sequence, name in file_names.items():
... full_path = resolve_parents(name, record_sequence, "$MFT")
... csv_writer.writerow(
... [
... str(record_sequence[0]),
... str(record_sequence[1]),
... name,
... full_path,
... ]
... )
>>> - Pypi
- Github
- DiskAnalyzer - Documentation
- DiskAnalyzer - Python executable
- DiskAnalyzer - Python Windows executable
- NtfsAnalyzer - Documentation
- NtfsAnalyzer - Python executable
- NtfsAnalyzer - Python Windows executable
- MftAnalyzer - Documentation
- MftAnalyzer - Python executable
- MftAnalyzer - Python Windows executable
- Fat32Analyzer - Documentation
- Fat32Analyzer - Python executable
- Fat32Analyzer - Python Windows executable
- ExFatAnalyzer - Documentation
- ExFatAnalyzer - Python executable
- ExFatAnalyzer - Python Windows executable
- MbrRepair - Documentation
- MbrRepair - Python executable
- MbrRepair - Python Windows executable
Licensed under the GPL, version 3.