During every forensic investigation, no matter whether it's a fraud or malware investigation, there are common artefacts and processes that are always run and added to a typical report. Parsing these artefacts manually can take a significant amount of time that could be better spent interpreting the results or parsing and analysing more complex data. This script therefore automates some of the simpler, more mundane processes, to free up the analyst for more focussed processing and interpretation. It is very much a work in progress and in the early stages of development. However, we are continually developing it to make it useful for us and if you have any feedback or requests for functionality, please do drop us a line on our contact page. Although the script has been tested, this was not exhaustive, so please bear this in mind and feel free to report any issues via our contact page too.
sysprofiler is a Bash script that uses a combination of Sleuthkit (www.sleuthkit.org), RegRipper (github.com/keydet89/RegRipper2.8), Parse::Win32Registry (search.cpan.org/~jmacfarla/Parse-Win32Registry-1.0/lib/Parse/Win32Registry.pm) and manual processing to extract these artefacts and output them into either a Tab Separated (TSV) file, which can be opened as a spreadsheet, or a plaintext (TXT) file that can be opened in Word Processing software and edited directly into a report. All of the tools used by sysprofiler in the way the script uses them will run natively on Linux. This means that sysprofiler will run on a Linux system, or using WSL on Windows. It is not locked into one specific platform.
==============================
Usage: sysprofiler_v1.sh -i <image file to process> [-f <output format>] [-k]
Optional arguments:
-f <output format> - supported formats: tsv,txt (default is tsv). Only one format at a time is supported.
-h - display this help information
-k - keep files extracted from image file
(deleted by default when script completes)
-m <modules> - supported modules: osinfo,users,apps,filelist,usbs,networks
-m <modules> - (default is all modules).
To run multiple
modules, separate with commas, eg '-m osinfo,users,usbs'
Note: file listing
will only be run on the Windows volume
-n - Compare file hashes to NIST NSRL database.
Please note, this will take some time!
Can be used with
modules: apps,filelist
Note: If the NIST
NSRL database (NSRLFile.txt) does not already exist in /data,
it will be
downloaded (assuming an Internet connection can be found)
-p - dump out password hashes for users.
-s - include hashes (MD5 and SHA1). Please note,
this will take some time!
can be used with modules:
osinfo,apps,filelist
==============================
osinfo - extract OS information. Includes volume hashes if '-s' option is used. Fields:
Volume Name
Volume Serial
Number
Filesystem
Size(bytes)
Windows Version
Service Pack
Owner
Organisation
Install Date
Hostname
Timezone
Timezone Offset
users - list user accounts on the system. Will also dump user password hashes if '-p' option is used. Fields:
Username
SID
Full Name
Comment
Account Created
Last Login
Login Count
Password Set
Password Last Reset
Last Incorrect Password
Entry
Password Hint
Flags
Groups
apps - lists apps installed on the system for all users (from Installer and Uninstall Registry keys). Fields:
Registry Key
User SID
Application
Version
Company
Install Date
filelist - lists all files and folders on the system, including file hashes (MD5 and SHA1) if '-s' option is used and whether present in NIST is '-n' is used.
Fields:
Volume Serial Number
File inode number
Type (dir/file)
Full Path
usbs - lists all USB connections on the system, including timestamps in USBSTOR Registry key and extra timestamps extracted from setupapi log.
Fields:
USB ID
Name
Serial Number
Parent ID Prefix
Last Mounted As
First Connected
Last Connected
Last Removed
Other Connection Timestamps
(from setupapi log)
networks - lists network connections for system. Fields:
Network Name
Type
First Connected
Last Connected
Default Gateway MAC
Address