Using image_export.py

PAGE WIP

image_export is a command line tool to export file content from a storage media image or device based on various filter criteria, such as extension names, filter paths, file format signature identifiers, file creation date and time ranges, etc.

Usage

To get a full list of parameters that can be passed to the tool use the -h or --help switch. The only required argument is IMAGE, which should point to your source data.

image_export.py IMAGE

Command above will extract all unique allocated files and generate hashes.json file to export/ directory, which is relative to the folder where you run image_export.py from. File hashes.json will contain list of unique hashes of extracted files. In case there are any duplicates, the file will contain paths to all duplicate files.

There are several ways to define how you want to limit the amount files to extract:

  • Based on path, filename or extension name

  • Based on time range

  • Based on format signature

Format signatures

In order to extract files based on their signature, use flag --signatures. To list all available file signatures run :

image_export.py --signatures list

To extract all files with Windows PE Binary signature use the command below:

image_export.py  --signatures exe_mz [IMAGE]

Filename

You can filter the extracted files based on their filename. If you want extract all files with filename .bash_history use the command below:

image_export.py --names .bash_history [IMAGE]

Flag --names accept comma separated strings.

Extension

You can extract files based on their extension. To extract all docx files run the command below:

image_export.py --extensions docx [IMAGE]

Flag --extensions accept comma separated strings.

Time range

You can extract files, which timestamp falls into date time range provided in the command line parameters:

image_export.py --date-filter "crtime,2019-09-01,2019-09-30" [IMAGE]

Command above will extract all files created in September, 2019.

For more details on date time filtering run image_export.py -h.

Output folder

In order to specify custom output folder, where all the files will be extracted, provide -w flag:

image_export.py -w ~/image_export_output [IMAGE]

Duplicate handling

By default image_export.py will not extract duplicate files, however paths to all duplicate files will be stored in hashes.json file. If you’d like to extract duplicate files add --include_duplicates flag.

Collection filters

More details: collection filters

Other options

Talk about:

--data
--vss_stores VSS_STORES