top of page
  • Kathryn Hedley

sysprofiler: profiling Windows disk images

During every forensic investigation, no matter whether it's a fraud or malware investigation, there are common artefacts and processes that are always run and added to a typical report. Parsing these artefacts manually can take a significant amount of time that could be better spent interpreting the results or parsing and analysing more complex data. This script therefore automates some of the simpler, more mundane processes, to free up the analyst for more focussed processing and interpretation. It is very much a work in progress and in the early stages of development. However, we are continually developing it to make it useful for us and if you have any feedback or requests for functionality, please do drop us a line on our contact page. Although the script has been tested, this was not exhaustive, so please bear this in mind and feel free to report any issues via our contact page too. sysprofiler is a Bash script that uses a combination of Sleuthkit (www.sleuthkit.org), RegRipper (github.com/keydet89/RegRipper2.8), Parse::Win32Registry (search.cpan.org/~jmacfarla/Parse-Win32Registry-1.0/lib/Parse/Win32Registry.pm) and manual processing to extract these artefacts and output them into either a Tab Separated (TSV) file, which can be opened as a spreadsheet, or a plaintext (TXT) file that can be opened in Word Processing software and edited directly into a report. All of the tools used by sysprofiler in the way the script uses them will run natively on Linux. This means that sysprofiler will run on a Linux system, or using WSL on Windows. It is not locked into one specific platform.

Usage

============================== Usage: sysprofiler_v1.sh -i <image file to process> [-f <output format>] [-k] Optional arguments: -f <output format> - supported formats: tsv,txt (default is tsv). Only one format at a time is supported. -h - display this help information -k - keep files extracted from image file (deleted by default when script completes) -m <modules> - supported modules: osinfo,users,apps,filelist,usbs,networks -m <modules> - (default is all modules). To run multiple modules, separate with commas, eg '-m osinfo,users,usbs' Note: file listing will only be run on the Windows volume -n - Compare file hashes to NIST NSRL database. Please note, this will take some time! Can be used with modules: apps,filelist Note: If the NIST NSRL database (NSRLFile.txt) does not already exist in /data, it will be downloaded (assuming an Internet connection can be found) -p - dump out password hashes for users. -s - include hashes (MD5 and SHA1). Please note, this will take some time! can be used with modules: osinfo,apps,filelist ==============================

Modules

osinfo - extract OS information. Includes volume hashes if '-s' option is used. Fields: Volume Name Volume Serial Number Filesystem Size(bytes) Windows Version Service Pack Owner Organisation Install Date Hostname Timezone Timezone Offset users - list user accounts on the system. Will also dump user password hashes if '-p' option is used. Fields: Username SID Full Name Comment Account Created Last Login Login Count Password Set Password Last Reset Last Incorrect Password Entry Password Hint Flags Groups apps - lists apps installed on the system for all users (from Installer and Uninstall Registry keys). Fields: Registry Key User SID Application Version Company Install Date filelist - lists all files and folders on the system, including file hashes (MD5 and SHA1) if '-s' option is used and whether present in NIST is '-n' is used. Fields: Volume Serial Number File inode number Type (dir/file) Full Path usbs - lists all USB connections on the system, including timestamps in USBSTOR Registry key and extra timestamps extracted from setupapi log. Fields: USB ID Name Serial Number Parent ID Prefix Last Mounted As First Connected Last Connected Last Removed Other Connection Timestamps (from setupapi log) networks - lists network connections for system. Fields: Network Name Type First Connected Last Connected Default Gateway MAC Address

Comments


bottom of page