Failed to load latest commit information.
INDXParse =============== Introduction ------------ INDX files are features of the Windows NTFS file system. They can be thought of as nodes in a B+ tree, where each directory has an INDX file. The INDX files contain records for each file within a directory. Records contain at least the following information: - Filename - Physical size of file - Logical size of file - Modified timestamp - Accessed timestamp - Changed timestamp - Created timestamp INDX files are interesting to forensic investigators for a number of reasons. First, an investigator may use INDX files as a source of timestamps to develop a timeline of activity. Secondly, these files have significant slack spaces. With careful parsing, an investigator may recover old or deleted records from within these data chunks. In other words, the investigator may be able to show a file existed even if it has been deleted. INDX files are not usually accessible from within the Windows operating system. Forensic utilties such as the FTK Imager may allow a user to extract the file by accessing the raw hard disk. FTK names the INDX file "$I30". Tools like the Sleuthkit can extract the directory entries from a forensic image. INDXParse will not work against a live system. Previous work & tools --------------------- I'd like to first mention John McCash, who mentioned he was unaware of any non-EnCase tools that parse INDX files in a SANS blog post. That got my mental gears turning. I started out with a document called NTFS Forensics: A Programmers View of Raw Filesystem Data Extraction by Jason Medeiros. Unfortunately, while this document describes parsing INDX files in detail, a number of steps in the explanation were wrong. The second resource I used, and used extensively, was Forensic computing by A. J. Sammes, Tony Sammes, and Brian Jenkinson. I found the relevent section was available for free via Google books. This was an excellent document, and I now plan on buying the full book. 42 LLC provides the INDX Extractor Enpack as a compiled EnScript for EnCase. This was not useful to me, because I was unable to get to the logic of the script. The Sleuthkit has INDX structures defined in the tsk_ntfs.h header files. I didn't do much digging in the code to see if TSK does any parsing of the INDX files (I suspect it does), but I did use it to verify the file structure. Usage ----- INDXParse.py accepts a number of command line parameters and switches that determine what data is parsed and output format. INDXParse.py currently supports both CSV (default) and Bodyfile (v3) output formats. The CSV schema is as follows: - Filename - Physical size of file - Logical size of file - Modified timestamp - Accessed timestamp - Changed timestamp - Created timestamp INDXParse.py will parse INDX structure slack space if provided the '-d' flag. Entries identified in the slack space will be tagged with a string of the form "(slack at ###)" where ### is the hex offset to the slack entry. Note that slack entries will have separate timestamps from the live entries, and could be used to show the state of the system at a point in time. If the program encounters an error while parsing the filename, the filename field will contain a best guess, and the comment "(error decoding filename)". If the program encounters an error while parsing timestamps, a timestamp corresponding to the UNIX epoch will be printed instead. The full command line help is included here: INDX $ python INDXParse.py -h usage: INDXParse.py [-h] [-c | -b] [-d] filename Parse NTFS INDX files. positional arguments: filename Input INDX file path optional arguments: -h, --help show this help message and exit -c Output CSV -b Output Bodyfile -d Find entries in slack space INDXTemplate.bt is a template file for the useful 010 Editor. Use it as you would any other template by applying it to INDX files. TODO ---- - Brainstorm more features ;-) License ------- INDXParse is released under the Apache 2.0 license. Contributors ------------ - Jerome Leseinne for identifying a bug in the is_valid constraint and null blocks