release: v2.1.1

sumeshi · Sep 2, 2021 · 45ee90d · 45ee90d
1 parent 2ee8121
commit 45ee90d
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 12 deletions.
diff --git a/README.md b/README.md
@@ -15,6 +15,27 @@ A tool for search file paths from an NTFS volume on a Raw Image file.
 $ ntfsfind <query_regex> ./path/to/your/imagefile.raw
 ```
 
+```python
+from ntfsfind import ntfsfind
+
+# imagefile_path: str
+# search_query: str
+# volume_num: Optional[int] = None
+# multiprocess: bool = False
+#
+# -> List[str]
+
+records = ntfsfind(
+    imagefile_path='./path/to/your/imagefile.raw',
+    search_query='.*\.evtx',
+    volume_num=2,
+    multiprocess=False
+)
+
+for record in records:
+    print(record)
+```
+
 ### Example
 Extracts $MFT information directly from image files in raw device mapping format.  
 ntfsfind can use regular expressions to search for files.

diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "ntfsfind"
-version = "2.1.0"
+version = "2.1.1"
 description = ""
 authors = ["sumeshi <j15322sn@gmail.com>"]
 license = "MIT"
@@ -12,7 +12,7 @@ homepage = "https://github.com/sumeshi/ntfsfind"
 keywords = ['Windows']
 
 [tool.poetry.scripts]
-ntfsfind = 'ntfsfind:ntfsfind'
+ntfsfind = 'ntfsfind:entry_point'
 
 [tool.poetry.dependencies]
 python = "^3.7"

diff --git a/src/ntfsfind.py b/src/ntfsfind.py
@@ -2,7 +2,7 @@
 import re
 import argparse
 from pathlib import Path
-from typing import List
+from typing import List, Optional
 from multiprocessing import Pool, cpu_count
 
 from ntfsdump import ImageFile
@@ -26,7 +26,17 @@ def gen_names(mft: bytes, multiprocess: bool) -> List[str]:
         return [c.decode("utf8").split(",")[-1].strip() for c in csvparser.entries_csv()]
 
 
-def ntfsfind():
+def ntfsfind(imagefile_path: str, search_query: str, volume_num: Optional[int] = None, multiprocess: bool = False) -> List[str]:
+    image = ImageFile(Path(imagefile_path).resolve(), volume_num)
+
+    mft = image.main_volume._NtfsVolume__read_file('/$MFT')
+    pattern = re.compile(search_query.strip('/'))
+    found_records = [i for i in gen_names(mft, multiprocess) if re.match(pattern, i)]
+
+    return found_records
+
+
+def entry_point():
 
     parser = argparse.ArgumentParser()
     parser.add_argument(
@@ -37,14 +47,14 @@ def ntfsfind():
     parser.add_argument("--multiprocess", "-m", action='store_true', help="flag to run multiprocessing.")
     args = parser.parse_args()
 
-    image = ImageFile(args.imagefile_path, args.volume_num)
-
-    mft = image.main_volume._NtfsVolume__read_file('/$MFT')
-    pattern = re.compile(args.search_query.strip('/'))
-    found_records = [i for i in gen_names(mft, args.multiprocess) if re.match(pattern, i)]
-    for record in found_records:
-        print(record)
+    found_records = ntfsfind(
+        imagefile_path=args.imagefile_path,
+        search_query=args.search_query,
+        volume_num=args.volume_num,
+        multiprocess=args.multiprocess,
+    )
+    print('\n'.join(found_records))
 
 
 if __name__ == "__main__":
-    ntfsfind()
+    entry_point()