Merge branch 'develop'

.github/workflows/build-docker-image.yaml

@@ -0,0 +1,39 @@
+name: build-docker-image
+
+on:
+  push:
+    tags:
+      - 'v*.*.*'
+
+jobs:
+  build:
+    name: Build docker image
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout
+        uses: actions/checkout@v2
+
+      - name: get version tag
+        id: tag_number
+        run: |
+          CURRENT_TAG=$(git tag --sort=-creatordate | sed -n 1p)
+          DOCKERHUB_TAG="${CURRENT_TAG//v/}"
+          echo "::set-output name=dh_tag::${DOCKERHUB_TAG}"
+
+      - name: setup docker buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: login to dockerhub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: build and push to dockerhub
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          push: true
+          tags: |
+            sumeshi/ntfsfind:latest
+            sumeshi/ntfsfind:${{steps.tag_number.outputs.dh_tag}}

Dockerfile

@@ -1,18 +1,10 @@
-FROM python:3.7-buster
+FROM python:3.9-buster
 
-# configure poetry
-RUN pip install poetry
-RUN poetry config virtualenvs.create false
-
-# install dependencies
+# install from pypi
 WORKDIR /app
-COPY . /app
-RUN poetry install
-
-# delete caches
-RUN rm -rf ~/.cache/pip
+RUN pip install ntfsfind
 
 # you can rewrite this command when running the docker container.
-# ex. docker run -t --rm -v $(pwd):/app/work ntfsfind:latest '/\$MFT' /app/work/sample.raw
+# ex. docker run --rm -v $(pwd):/app -t ntfsdump:latest '/$MFT' /app/sample.raw
 ENTRYPOINT ["ntfsfind"]
 CMD ["-h"]

README.md

@@ -3,16 +3,16 @@
 [![MIT License](http://img.shields.io/badge/license-MIT-blue.svg?style=flat)](LICENSE)
 [![PyPI version](https://badge.fury.io/py/ntfsfind.svg)](https://badge.fury.io/py/ntfsfind)
 [![Python Versions](https://img.shields.io/pypi/pyversions/ntfsfind.svg)](https://pypi.org/project/ntfsfind/)
-[![DockerHub Status](https://shields.io/docker/cloud/build/sumeshi/ntfsfind)](https://hub.docker.com/r/sumeshi/ntfsfind)
+[![docker build](https://github.com/sumeshi/ntfsdump/actions/workflows/build-docker-image.yaml/badge.svg)](https://github.com/sumeshi/ntfsdump/actions/workflows/build-docker-image.yaml)
 
 ![ntfsfind](https://gist.githubusercontent.com/sumeshi/c2f430d352ae763273faadf9616a29e5/raw/baa85b045e0043914218cf9c0e1d1722e1e7524b/ntfsfind.svg)
 
-A tool for search file paths from an NTFS volume on a Raw Image file.
+A tool for search file paths from an NTFS volume on an Image file.
 
 ## Usage
 
 ```bash
-$ ntfsfind <query_regex> ./path/to/your/imagefile.raw
+$ ntfsfind {{query_regex}} /path/to/imagefile.raw
 ```
 
 ```python
@@ -21,6 +21,7 @@ from ntfsfind import ntfsfind
 # imagefile_path: str
 # search_query: str
 # volume_num: Optional[int] = None
+# file_type: Literal['raw', 'e01'] = 'raw'
 # multiprocess: bool = False
 #
 # -> List[str]
@@ -29,19 +30,39 @@ records = ntfsfind(
     imagefile_path='./path/to/your/imagefile.raw',
     search_query='.*\.evtx',
     volume_num=2,
+    file_type='raw',
     multiprocess=False
 )
 
 for record in records:
     print(record)
 ```
 
+
+### Query
+
+The query for ntfsfind is a regular expression of the file path to be extracted.
+The paths are separated by slashes.
+
+e.g.
+```
+Original Path: C:\$MFT
+Query: '/\$MFT'
+
+# find Eventlogs
+Query: '.*\.evtx'
+
+# find Alternate Data Streams
+Query: '.*:.*'
+```
+
+
 ### Example
 Extracts $MFT information directly from image files in raw device mapping format.  
 ntfsfind can use regular expressions to search for files.
 
 ```.bash
-$ ntfsfind '.*\.evtx' ./path/to/your/imagefile.raw
+$ ntfsfind '.*\.evtx' /path/to//imagefile.raw
 Windows/System32/winevt/Logs/Setup.evtx
 Windows/System32/winevt/Logs/Microsoft-Windows-All-User-Install-Agent%4Admin.evtx
 Logs/Windows PowerShell.evtx
@@ -62,12 +83,49 @@ Logs/Microsoft-Windows-SettingSync%4Operational.evtx
 
 ```
 
+
+#### When use with [ntfsdump](https://github.com/sumeshi/ntfsdump)
+
+Combined with ntfsdump, the retrieved files can be dumped directly from the image file.
+
+```.bash
+$ ntfsfind '.*\.evtx' /path/to/imagefile.raw | ntfsdump /path/to/your/imagefile
+```
+
+https://github.com/sumeshi/ntfsdump
+
+
 ### Options
 ```
---volume-num, -n: NTFS volume number(default: autodetect).
---multiprocess, -m: flag to run multiprocessing.
+--help, -h:
+    show help message and exit.
+
+--version, -v:
+    show program's version number and exit.
+
+--volume-num, -n:
+    NTFS volume number (default: autodetect).
+
+--type, -t:
+    image file format (default: raw(dd-format)).
+    (raw|e01) are supported.
+
+--multiprocess, -m:
+    flag to run multiprocessing.
 ```
 
+
+## Prerequisites
+The image file to be processed must meet the following conditions.
+
+- raw or e01 file format
+- NT file system(NTFS)
+- GUID partition table(GPT)
+
+Additional file formats will be added in the future.  
+If you have any questions, please submit an issue.  
+
+
 ## Installation
 
 ### via PyPI
@@ -81,16 +139,17 @@ https://hub.docker.com/r/sumeshi/ntfsfind
 
 
 ```bash
-$ docker run -t --rm -v $(pwd):/app/work sumeshi/ntfsfind:latest '/\$MFT' /app/work/sample.raw
+$ docker run --rm -v $(pwd):/app -t sumeshi/ntfsfind:latest '/\$MFT' /app/sample.raw
 ```
 
 ## Contributing
 
 The source code for ntfsfind is hosted at GitHub, and you may download, fork, and review it from this repository(https://github.com/sumeshi/ntfsfind).  
 Please report issues and feature requests. :sushi: :sushi: :sushi:
 
+
 ## License
 
 ntfsfind is released under the [MIT](https://github.com/sumeshi/ntfsfind/blob/master/LICENSE) License.
 
-Powered by [pytsk3](https://github.com/py4n6/pytsk).  
+Powered by [pytsk3](https://github.com/py4n6/pytsk), [libewf](https://github.com/libyal/libewf) and [pymft-rs](https://github.com/omerbenamram/pymft-rs).