release: v2.4.0

.github/workflows/build-binary.yaml

@@ -10,7 +10,7 @@ jobs:
     runs-on: windows-latest
     strategy:
       matrix:
-        python-version: ['3.10']
+        python-version: ['3.9']
     steps:
       - name: checkout
         uses: actions/checkout@v2

README.md

@@ -104,7 +104,7 @@ $ ntfsfind '.*\.evtx' ./path/to/your/imagefile.raw | ntfsdump ./path/to/your/ima
 
 --type, -t:
     Image file format (default: raw(dd-format)).
-    (raw|e01) are supported.
+    (raw|e01|vhd|vhdx|vmdk) are supported.
 
 --output-path, -o:
     Output directory or file path.

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "ntfsdump"
-version = "2.3.5"
+version = "2.4.0"
 description = "A tool for extract any files from an NTFS volume on an image file."
 authors = ["sumeshi <sum3sh1@protonmail.com>"]
 license = "LGPLv3+"
@@ -18,6 +18,8 @@ ntfsdump = 'ntfsdump.views.NtfsDumpView:entry_point'
 python = "^3.9"
 pytsk3 = "^20211111"
 libewf-python = "^20201230"
+libvmdk-python = "^20210807"
+libvhdi-python = "^20210425"
 
 [tool.poetry.dev-dependencies]
 black = "^22.1.0"

src/ntfsdump/__init__.py

@@ -9,7 +9,18 @@ def ntfsdump(
     output_path: str,
     target_queries: list[str],
     volume_num: Optional[int] = None,
-    file_type: Literal['raw', 'e01'] = 'raw'
+    file_type: Literal[
+        'raw',
+        'RAW',
+        'e01',
+        'E01',
+        'vhd',
+        'VHD',
+        'vhdx',
+        'VHDX',
+        'vmdk',
+        'VMDK',
+    ] = 'raw'
 ):
     """A tool for extract any files from an NTFS volume on an image file.
 
@@ -18,7 +29,7 @@ def ntfsdump(
         output_path (str): output target file path, or output target directory path.
         target_queries (list[str]): query for extracted file paths.
         volume_num (Optional[int], optional): system volume number. Defaults to None.
-        file_type (Literal['raw', 'e01'], optional): target image file format. Defaults to 'raw'.
+        file_type (Literal['raw', 'e01', 'vhd', 'vhdx', 'vmdk'], optional): target image file format. Defaults to 'raw'.
     """
     NtfsDumpPresenter().ntfsdump(
         imagefile_path,

src/ntfsdump/models/ImageFile.py

@@ -7,30 +7,59 @@
 
 import pytsk3
 import pyewf
+import pyvhdi
+import pyvmdk
 
 
-class ewf_Img_Info(pytsk3.Img_Info):
-  def __init__(self, ewf_handle):
-    self._ewf_handle = ewf_handle
-    super(ewf_Img_Info, self).__init__(url="", type=pytsk3.TSK_IMG_TYPE_EXTERNAL)
+class Img_Info(pytsk3.Img_Info):
+    def __init__(self, handle):
+        self.handle = handle
+        super(Img_Info, self).__init__(url="", type=pytsk3.TSK_IMG_TYPE_EXTERNAL)
 
-  def close(self):
-    self._ewf_handle.close()
+    def close(self):
+        self.handle.close()
 
-  def read(self, offset, size):
-    self._ewf_handle.seek(offset)
-    return self._ewf_handle.read(size)
+    def read(self, offset, size):
+        self.handle.seek(offset)
+        return self.handle.read(size)
 
-  def get_size(self):
-    return self._ewf_handle.get_media_size()
+    def get_size(self):
+        return self.handle.get_media_size()
 
 
 class ImageFile(object):
-    def __init__(self, path: Path, volume_num: Optional[int], file_type: Literal['raw', 'e01'] = 'raw'):
+    def __init__(
+        self,
+        path: Path,
+        volume_num: Optional[int],
+        file_type: Literal[
+            'raw',
+            'RAW',
+            'e01',
+            'E01',
+            'vhd',
+            'VHD',
+            'vhdx',
+            'VHDX',
+            'vmdk',
+            'VMDK',
+        ] = 'raw'
+    ):
         self.path: Path = path
         self.logger: Log = Log()
         self.block_size: int = 512
-        self.file_type: Literal['raw', 'e01'] = file_type
+        self.file_type: Literal[
+            'raw',
+            'RAW',
+            'e01',
+            'E01',
+            'vhd',
+            'VHD',
+            'vhdx',
+            'VHDX',
+            'vmdk',
+            'VMDK',
+        ] = file_type
         self.volumes: List[NtfsVolume] = self.__analyze_partitions()
         self.main_volume: NtfsVolume = self.__auto_detect_main_partition(volume_num)
 
@@ -40,12 +69,23 @@ def __init__(self, path: Path, volume_num: Optional[int], file_type: Literal['ra
         self.logger.log(f"[analyze] Volume {self.volumes.index(self.main_volume)} was automatically detected as the main partition.", 'system')
 
     def __analyze_partitions(self) -> List[NtfsVolume]:
-        if self.file_type == 'e01':
+        if self.file_type in ['e01', 'E01']:
             self.logger.log(f"[analyze] E01 Format Image", 'system')
             filenames = pyewf.glob(str(self.path))
             ewf_handle = pyewf.handle()
             ewf_handle.open(filenames)
-            img_info = ewf_Img_Info(ewf_handle)
+            img_info = Img_Info(ewf_handle)
+        elif self.file_type in ['vhd', 'vhdx', 'VHD', 'VHDX']:
+            self.logger.log(f"[analyze] VHD Format Image", 'system')
+            vhdi_file = pyvhdi.file()
+            vhdi_file.open(str(self.path))
+            img_info = Img_Info(vhdi_file)
+        elif self.file_type in ['vmdk', 'VMDK']:
+            self.logger.log(f"[analyze] VMDK Format Image", 'system')
+            vmdk_handle = pyvmdk.handle()
+            vmdk_handle.open(str(self.path))
+            vmdk_handle.open_extent_data_files()
+            img_info = Img_Info(vmdk_handle)
         else:
             self.logger.log(f"[analyze] Raw Format Image", 'system')
             img_info = pytsk3.Img_Info(str(self.path))

src/ntfsdump/presenters/NtfsDumpPresenter.py

@@ -11,7 +11,18 @@ def ntfsdump(
         output_path: str,
         target_queries: List[str],
         volume_num: Optional[int] = None,
-        file_type: Literal['raw', 'e01'] = 'raw'
+        file_type: Literal[
+            'raw',
+            'RAW',
+            'e01',
+            'E01',
+            'vhd',
+            'VHD',
+            'vhdx',
+            'VHDX',
+            'vmdk',
+            'VMDK',
+        ] = 'raw'
     ):
         # dump files
         image = ImageFile(Path(imagefile_path), volume_num, file_type)