During every forensic investigation, no matter whether it's a fraud or malware investigation, there are common artefacts and processes that are always run and added to a typical report. Parsing these artefacts manually can take a significant amount of time that could be better spent interpreting the results or parsing and analysing more complex data. This script therefore automates some of the simpler, more mundane processes, to free up the analyst for more focussed processing and interpretation. It is very much a work in progress and in the early stages of development. However, we are continually developing it to make it useful for us and if you have any feedback or requests for functionality, please do drop us a line on our contact page. Although the script has been tested, this was not exhaustive, so please bear this in mind and feel free to report any issues via our contact page too.
sysprofiler is a Bash script that uses a combination of Sleuthkit (www.sleuthkit.org), RegRipper (github.com/keydet89/RegRipper2.8), Parse::Win32Registry (search.cpan.org/~jmacfarla/Parse-Win32Registry-1.0/lib/Parse/Win32Registry.pm) and manual processing to extract these artefacts and output them into either a Tab Separated (TSV) file, which can be opened as a spreadsheet, or a plaintext (TXT) file that can be opened in Word Processing software and edited directly into a report. All of the tools used by sysprofiler in the way the script uses them will run natively on Linux. This means that sysprofiler will run on a Linux system, or using WSL on Windows. It is not locked into one specific platform.
Usage: sysprofiler_v1.sh -i <image file to process> [-f <output format>] [-k]
-f <output format> - supported formats: tsv,txt (default is tsv). Only one format at a time is supported.
-h - display this help information
-k - keep files extracted from image file (deleted by default when script completes)
-m <modules> - supported modules: osinfo,users,apps,filelist,usbs,networks
-m <modules> - (default is all modules).
To run multiple modules, separate with commas, eg '-m osinfo,users,usbs'
Note: file listing will only be run on the Windows volume
-n - Compare file hashes to NIST NSRL database. Please note, this will take some time!
Can be used with modules: apps,filelist
Note: If the NIST NSRL database (NSRLFile.txt) does not already exist in /data,
it will be downloaded (assuming an Internet connection can be found)
-p - dump out password hashes for users.
-s - include hashes (MD5 and SHA1). Please note, this will take some time!
can be used with modules: osinfo,apps,filelist
osinfo - extract OS information. Includes volume hashes if '-s' option is used. Fields:
Volume Serial Number
users - list user accounts on the system. Will also dump user password hashes if '-p' option is used. Fields:
Password Last Reset
Last Incorrect Password Entry
apps - lists apps installed on the system for all users (from Installer and Uninstall Registry keys). Fields:
filelist - lists all files and folders on the system, including file hashes (MD5 and SHA1) if '-s' option is used and whether present in NIST is '-n' is used.
Volume Serial Number
File inode number
usbs - lists all USB connections on the system, including timestamps in USBSTOR Registry key and extra timestamps extracted from setupapi log.
Parent ID Prefix
Last Mounted As
Other Connection Timestamps (from setupapi log)
networks - lists network connections for system. Fields:
Default Gateway MAC Address