sysprofiler: profiling Windows disk images


During every forensic investigation, no matter whether it's a fraud or malware investigation, there are common artefacts and processes that are always run and added to a typical report. Parsing these artefacts manually can take a significant amount of time that could be better spent interpreting the results or parsing and analysing more complex data. This script therefore automates some of the simpler, more mundane processes, to free up the analyst for more focussed processing and interpretation. It is very much a work in progress and in the early stages of development. However, we are continually developing it to make it useful for us and if you have any feedback or requests for functionality, please do drop us a line on our contact page. Although the script has been tested, this was not exhaustive, so please bear this in mind and feel free to report any issues via our contact page too.


sysprofiler is a Bash script that uses a combination of Sleuthkit (, RegRipper (, Parse::Win32Registry ( and manual processing to extract these artefacts and output them into either a Tab Separated (TSV) file, which can be opened as a spreadsheet, or a plaintext (TXT) file that can be opened in Word Processing software and edited directly into a report. All of the tools used by sysprofiler in the way the script uses them will run natively on Linux. This means that sysprofiler will run on a Linux system, or using WSL on Windows. It is not locked into one specific platform.




Usage: -i <image file to process> [-f <output format>] [-k]
Optional arguments:
   -f <output format>    - supported formats: tsv,txt (default is tsv). Only one format at a time is supported.
   -h                              - display this help information
   -k                              - keep files extracted from image file (deleted by default when script completes)
   -m <modules>          - supported modules: osinfo,users,apps,filelist,usbs,networks
   -m <modules>          - (default is all modules).
                                   To run multiple modules, separate with commas, eg '-m osinfo,users,usbs'
                                   Note: file listing will only be run on the Windows volume
   -n                             - Compare file hashes to NIST NSRL database. Please note, this will take some time!
                                   Can be used with modules: apps,filelist
                                   Note: If the NIST NSRL database (NSRLFile.txt) does not already exist in /data,
                                   it will be downloaded (assuming an Internet connection can be found)
   -p                             - dump out password hashes for users.
   -s                             - include hashes (MD5 and SHA1). Please note, this will take some time!
                                  can be used with modules: osinfo,apps,filelist






osinfo          - extract OS information. Includes volume hashes if '-s' option is used. Fields:

                             Volume Name
                             Volume Serial Number
                             Windows Version
                             Service Pack
                             Install Date
                             Timezone Offset


users          - list user accounts on the system. Will also dump user password hashes if '-p' option is used. Fields:

                             Full Name
                             Account Created
                             Last Login
                             Login Count
                             Password Set
                             Password Last Reset
                             Last Incorrect Password Entry
                             Password Hint


apps          - lists apps installed on the system for all users (from Installer and Uninstall Registry keys). Fields:

                             Registry Key
                             User SID
                             Install Date


filelist         - lists all files and folders on the system, including file hashes (MD5 and SHA1) if '-s' option is used and whether present in NIST is '-n' is used.


                             Volume Serial Number
                             File inode number
                             Type (dir/file)
                             Full Path


usbs           - lists all USB connections on the system, including timestamps in USBSTOR Registry key and extra timestamps extracted from setupapi log.


                             USB ID
                             Serial Number
                             Parent ID Prefix
                             Last Mounted As
                             First Connected
                             Last Connected
                             Last Removed
                             Other Connection Timestamps (from setupapi log)


networks    - lists network connections for system. Fields:

                             Network Name
                             First Connected
                             Last Connected
                             Default Gateway MAC Address




Download script

sysprofiler script v1.0
ZIP archive containing:
* sysprofiler script
* setup script, which will install all packages and tools required to run sysprofiler - requires online system
* offline setup script, which requires packages to be downloaded separately and copied to the offline system prior to running this script to install
Compressed archive in ZIP format [11.1 KB]
Print | Sitemap
© Khyrenz 2022