image_export is a command line tool to export file content from a storage media image or device based on various filter criteria, such as extension names, filter paths, file format signature identifiers, file creation date and time ranges, etc.
To get a full list of parameters that can be passed to the tool use the
--help switch. The only required argument is
IMAGE, which should point to your source data.
Command above will extract all unique allocated files and generate hashes.json file to
export/ directory, which is relative to the folder where you run
image_export.py from. File
hashes.json will contain list of unique hashes of extracted files. In case there are any duplicates, the file will contain paths to all duplicate files.
There are several ways to define how you want to limit the amount files to extract:
Based on path, filename or extension name
Based on time range
Based on format signature
In order to extract files based on their signature, use flag
--signatures. To list all available file signatures run :
image_export.py --signatures list
To extract all files with Windows PE Binary signature use the command below:
image_export.py --signatures exe_mz [IMAGE]
You can filter the extracted files based on their filename. If you want extract all files with filename
.bash_history use the command below:
image_export.py --names .bash_history [IMAGE]
--names accept comma separated strings.
You can extract files based on their extension. To extract all docx files run the command below:
image_export.py --extensions docx [IMAGE]
--extensions accept comma separated strings.
You can extract files, which timestamp falls into date time range provided in the command line parameters:
image_export.py --date-filter "crtime,2019-09-01,2019-09-30" [IMAGE]
Command above will extract all files created in September, 2019.
For more details on date time filtering run
In order to specify custom output folder, where all the files will be extracted, provide
image_export.py -w ~/image_export_output [IMAGE]
By default image_export.py will not extract duplicate files, however paths to all duplicate files will be stored in hashes.json file. If you’d like to extract duplicate files add
--data --no_vss --vss_stores VSS_STORES